CVE-2022-42129Authorization Bypass Through User-Controlled Key in Portal

CWE-639Authorization Bypass Through User-Controlled Key4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay PortalLiferay Digital Experience Platform
Timeline
PublishedNov 15

Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDliferay/liferay_portal7.3.27.4.3.5

🔴Vulnerability Details

3
CVEList
CVE-2022-42129: An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 72022-11-15
OSV
Authorization Bypass in Liferay Portal2022-11-15
GHSA
Authorization Bypass in Liferay Portal2022-11-15
CVE-2022-42129 — Liferay Portal vulnerability | cvebase