Home

Description

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

PUBLISHED Reserved 2025-10-09 | Published 2025-10-22 | Updated 2025-10-23 | Assigner Liferay




LOW: 2.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

7.4.0 (maven)
affected

Default status
unaffected

2024.Q1.1 (maven)
affected

2024.Q2.0 (maven)
affected

2024.Q3.1 (maven)
affected

2024.Q4.0 (maven)
affected

2025.Q1.0 (maven)
affected

2025.Q2.0 (maven)
affected

References

liferay.dev/...-/asset_publisher/jekt/content/CVE-2025-62247

cve.org (CVE-2025-62247)

nvd.nist.gov (CVE-2025-62247)

Download JSON