CVE-2022-42129 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.3.2 <7.4.3.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00189 pctl0.40939

Details

Authorization Bypass in Liferay Portal An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2022-11-21T23:49:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-g6x4-57hp-j4xm/GHSA-g6x4-57hp-j4xm.json
CWE IDs: ["CWE-639"]
Alternative ID: GHSA-g6x4-57hp-j4xm
Finding: F039
Auto approve: 1