Description
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
Remediation
References
http://liferay.com
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975
Related Vulnerabilities
CVE-2022-25857 Vulnerability in maven package org.yaml:snakeyaml
CVE-2020-26301 Vulnerability in npm package ssh2
CVE-2021-46708 Vulnerability in maven package org.webjars.npm:swagger-ui-dist
CVE-2021-21316 Vulnerability in npm package less-openui5
CVE-2018-11761 Vulnerability in maven package org.apache.tika:tika-parsers