Description

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17447

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130

Related Vulnerabilities

CVE-2017-1000244 Vulnerability in maven package org.jvnet.hudson.plugins:favorite

CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2021-31407 Vulnerability in maven package com.vaadin:flow-server

CVE-2007-4556 Vulnerability in maven package opensymphony:xwork

CVE-2020-13933 Vulnerability in maven package org.apache.shiro:shiro-web

Severity

Medium

Classification

CWE-276 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory