CVE-2022-42130 — Incorrect Default Permissions in Portal

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedNov 15

Description

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDliferay/digital_experience_platform4 versions+3

▶NVDliferay/liferay_portal7.1.0 — 7.4.3.5

🔴Vulnerability Details

CVEList

CVE-2022-42130: The Dynamic Data Mapping module in Liferay Portal 7↗2022-11-15

▶

GHSA

Incorrect Default Permissions in Liferay Portal↗2022-11-15

▶

OSV

Incorrect Default Permissions in Liferay Portal↗2022-11-15

▶