CVE-2022-26595 — Incorrect Default Permissions in Digital Experience Platform

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 70.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal

Timeline

PublishedApr 19

Latest updateApr 20

Description

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.7, 7.4.0, 7.4.1+2

▶NVDliferay/digital_experience_platform7.2, 7.3+1

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP fails to check permissions to view sites/groups↗2022-04-20

▶

OSV

Liferay Portal and Liferay DXP fails to check permissions to view sites/groups↗2022-04-20

▶

CVEList

CVE-2022-26595: Liferay Portal 7↗2022-04-19

▶