CVE-2022-42129

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.4.3.4 Liferay DXP versions 7.3 before update 4, and 7.4 GA

Description An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module allows remote authenticated users to view and access form entries via the formInstanceRecordId parameter.

Recommendations For Liferay Portal versions 7.3.2 through 7.4.3.4, update to a version outside of this range to resolve the issue. For Liferay DXP version 7.3 before update 4, apply update 4 or later to fix the vulnerability. For Liferay DXP version 7.4 GA, consider disabling the Dynamic Data Mapping module or restricting access to the formInstanceRecordId parameter until a patch is available.