CVE-2022-42126 — Improper Access Control in Portal

CWE-284 — Improper Access Control CWE-280 — Improper Handling of Insufficient Permissions or Privileges4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 65.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedNov 15

Description

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.5 — 7.4.3.29

▶NVDliferay/digital_experience_platform7.3, 7.4+1

🔴Vulnerability Details

OSV

Missing permissions check in Liferay Portal↗2022-11-15

▶

GHSA

Missing permissions check in Liferay Portal↗2022-11-15

▶

CVEList

CVE-2022-42126: The Asset Libraries module in Liferay Portal 7↗2022-11-15

▶