Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17448

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Related Vulnerabilities

CVE-2023-6393 Vulnerability in maven package io.quarkus:quarkus-cache

CVE-2021-21672 Vulnerability in maven package org.jenkins-ci.plugins:seleniumhtmlreport

CVE-2020-6426 Vulnerability in maven package org.webjars.npm:electron

CVE-2022-42126 Vulnerability in maven package com.liferay:com.liferay.depot.service

CVE-2018-1000174 Vulnerability in maven package org.jenkins-ci.plugins:google-login

Severity

Medium

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory