CVE-2022-42129

MEDIUM4.3EPSS 0.19%

Authorization Bypass in Liferay Portal

Published: 11/15/2022Modified: 2/19/2024

Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Affected packages (2)

Bitnami/liferay>= 7.3.0, <= 7.3.0, >= 7.4.0, <= 7.4.0
Maven/com.liferay.portal:release.portal.bom>= 7.3.2, < 7.4.3.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-42129
WEBhttp://liferay.com
WEBhttps://issues.liferay.com/browse/LPE-17448
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129