CVE-2021-29052
published 2021-05-17CVE-2021-29052: The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in…
medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liferay | dxp | — | — |
| liferay | liferay_portal | 7.3.0 – 7.3.5 | — |