Description

The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.

Remediation

References

CVE-2021-29052

Related Vulnerabilities

WordPress Plugin Dropdown Menu Widget Cross-Site Request Forgery (1.9.1)

WordPress Plugin Share on Diaspora Cross-Site Scripting (0.7.1)

FluxBB Other Vulnerability (CVE-2014-10030)

Handlebars CVE-2021-23369 Vulnerability (CVE-2021-23369)

YetiForce CRM Improper Input Validation Vulnerability (CVE-2021-4111)

Severity

Medium

Classification

CVE-2021-29052 CWE-276 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities