CVE-2022-42128

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.1 through 7.4.3.4 Liferay DXP version 7.4 GA

Description The issue concerns the Hypermedia REST APIs module, which fails to properly check permissions. This allows remote attackers to obtain a WikiNode object via the "WikiNodeResource.getSiteWikiNodeByExternalReferenceCode" API endpoint, using the externalReferenceCode variable.

Recommendations For Liferay Portal versions 7.4.1 through 7.4.3.4, consider restricting access to the WikiNodeResource API endpoint until a patch is available. For Liferay DXP version 7.4 GA, restrict access to the WikiNodeResource API endpoint until a patch is available. As a temporary workaround, consider disabling the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API endpoint until a patch is available.