PT-2022-10708 · Liferay · Liferay Portal+1
Published
2022-03-02
·
Updated
2024-01-31
·
CVE-2021-38268
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.0.0 through 7.3.6
Liferay DXP versions 7.0 through 7.3 before fix pack 2, with the following specific fix pack requirements:
- 7.0 before fix pack 101
- 7.1 before fix pack 21
- 7.2 before fix pack 10
Description
The Dynamic Data Mapping module in Liferay Portal and Liferay DXP incorrectly sets default permissions for site members. This allows remote authenticated users with the site member role to add and duplicate forms via the UI or the API.
Recommendations
For Liferay Portal versions 7.0.0 through 7.3.6, update to a version with the appropriate fix pack or later.
For Liferay DXP version 7.0, apply fix pack 101 or later.
For Liferay DXP version 7.1, apply fix pack 21 or later.
For Liferay DXP version 7.2, apply fix pack 10 or later.
For Liferay DXP version 7.3, apply fix pack 2 or later.
As a temporary workaround, consider restricting the site member role permissions to prevent unauthorized form additions and duplications.
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal