CVE-2021-38268 — Incorrect Default Permissions in Digital Experience Platform

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 69.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal

Timeline

PublishedMar 2

Latest updateMar 3

Description

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDliferay/liferay_portal7.0.0 — 7.3.7

▶NVDliferay/digital_experience_platform< 7.2.1+2

Patches

Patch: portal.liferay.dev ↗Patch: portal.liferay.dev ↗

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP has incorrect default permissions for site members↗2022-03-03

▶

GHSA

Liferay Portal and Liferay DXP has incorrect default permissions for site members↗2022-03-03

▶

CVEList

CVE-2021-38268: The Dynamic Data Mapping module in Liferay Portal 7↗2022-03-02

▶