Description

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

Remediation

References

CVE-2025-62247

Related Vulnerabilities

WordPress Plugin WooCommerce Security Bypass (2.1.7)

WordPress Plugin BJ Lazy Load Remote Code Execution (0.7.5)

MySQL CVE-2021-2036 Vulnerability (CVE-2021-2036)

Liferay DXP Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-8980)

Joomla Improper Input Validation Vulnerability (CVE-2015-8565)

Severity

Medium

Classification

CVE-2025-62247 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities