CVE-2022-38512 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.4.13.u8 <7.4.13.u37

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00179 pctl0.39734

Details

Liferay Portal and Liferay DXP Fails to Check Permissions in Translation Module The Translation module before v2.0.58 from Liferay Portal (v7.4.3.12 through v7.4.3.36), and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.

Metadata

Created: 2022-09-23T00:00:46Z
Modified: 2025-07-16T15:23:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-h9ww-wjg4-jvvg/GHSA-h9ww-wjg4-jvvg.json
CWE IDs: ["CWE-269", "CWE-862"]
Alternative ID: GHSA-h9ww-wjg4-jvvg
Finding: F159
Auto approve: 1