Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17448

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Related Vulnerabilities

CVE-2014-3416 Vulnerability in maven package org.jasig.portal:uportal-war

CVE-2018-14042 Vulnerability in npm package bootstrap-sass

CVE-2017-1000085 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2023-46650 Vulnerability in maven package com.coravy.hudson.plugins.github:github

CVE-2022-42890 Vulnerability in maven package org.apache.xmlgraphics:batik-script

Severity

Medium

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory