Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

CVE-2022-42129

Related Vulnerabilities

PleskWin Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4878)

Magento Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2016-4010)

WordPress Plugin Issuu Panel Local/Remote File Inclusion (1.6)

WordPress Plugin Amazon JS Cross-Site Scripting (0.10)

Atlassian Jira Incorrect Behavior Order: Validate Before Canonicalize Vulnerability (CVE-2022-26137)

Severity

Medium

Classification

CVE-2022-42129 CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities