Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17448

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Related Vulnerabilities

CVE-2019-16561 Vulnerability in maven package org.jenkins-ci.plugins:websphere-deployer

CVE-2019-10464 Vulnerability in maven package org.jenkins-ci.plugins:weblogic-deployer-plugin

CVE-2017-1000090 Vulnerability in maven package org.jenkins-ci.plugins:role-strategy

CVE-2023-37462 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-ui

CVE-2020-11969 Vulnerability in maven package org.apache.tomee:openejb-core

Severity

Medium

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory