Description
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.
Remediation
References
Related Vulnerabilities
WordPress Plugin PDF & Print Button Joliprint Multiple Cross-Site Scripting Vulnerabilities (1.3.0)
Apache HTTP Server Improper Access Control Vulnerability (CVE-2016-4979)
Oracle JRE CVE-2018-2677 Vulnerability (CVE-2018-2677)
Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4193)
ATutor Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3706)