Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17448

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Related Vulnerabilities

CVE-2023-37955 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2017-5662 Vulnerability in maven package org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom

CVE-2016-3086 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2023-38493 Vulnerability in maven package com.linecorp.armeria:armeria

CVE-2023-37959 Vulnerability in maven package org.jenkins-ci.plugins:sumologic-publisher

Severity

Medium

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory