PT-2022-26277 · Liferay · Liferay Portal+1
Published
2022-11-15
·
Updated
2024-01-31
·
CVE-2022-42130
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.1.0 through 7.4.3.4
Liferay DXP versions 7.1 before fix pack 27
Liferay DXP versions 7.2 before fix pack 19
Liferay DXP versions 7.3 before update 4
Liferay DXP version 7.4 GA
Description
The Dynamic Data Mapping module does not properly check permission of form entries, allowing remote authenticated users to view and access all form entries.
Recommendations
For Liferay Portal versions 7.1.0 through 7.4.3.4, update to a version that includes the fix for the permission checking issue in the Dynamic Data Mapping module.
For Liferay DXP versions 7.1 before fix pack 27, apply fix pack 27 or later to resolve the issue.
For Liferay DXP versions 7.2 before fix pack 19, apply fix pack 19 or later to resolve the issue.
For Liferay DXP versions 7.3 before update 4, apply update 4 or later to resolve the issue.
For Liferay DXP version 7.4 GA, consider updating to a later version that includes the necessary security fixes.
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal