CVE-2025-43810 — Liferay Portal and DXP allows users to add a note to a different virtual instanc

Description

Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.

How to fix CVE-2025-43810

To remediate CVE-2025-43810, upgrade the affected package to a fixed version below.

—upgrade to 11.0.164 or later

Is CVE-2025-43810 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 11.0.164

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43810
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/72259fbf5a81596e99b615df480dee0b0fa3aa09
WEBgithub.com/liferay/liferay-portal/commit/9fad6a23b3c04146ef80a59b056f24b17cc2e721