CVE-2022-42128 — Incorrect Default Permissions in Portal

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 59.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedNov 15

Description

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDliferay/liferay_portal7.4.1 — 7.4.3.5

▶NVDliferay/digital_experience_platform7.4

🔴Vulnerability Details

OSV

Incorrect Default Permissions in Liferay Portal↗2022-11-15

▶

GHSA

Incorrect Default Permissions in Liferay Portal↗2022-11-15

▶

CVEList

CVE-2022-42128: The Hypermedia REST APIs module in Liferay Portal 7↗2022-11-15

▶