Description

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

Remediation

References

CVE-2025-62247

Related Vulnerabilities

PostgreSQL Heap-based Buffer Overflow Vulnerability (CVE-2026-2005)

WordPress Plugin Omni Secure Files 'upload.php' Arbitrary File Upload (0.1.13)

WordPress Deserialization of Untrusted Data Vulnerability (CVE-2018-20148)

Jenkins Improper Authentication Vulnerability (CVE-2017-2604)

WordPress Plugin myLinksDump 'url' Parameter SQL Injection (1.2)

Severity

Medium

Classification

CVE-2025-62247 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities