CVE-2022-42130 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.1.0 <7.4.3.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00189 pctl0.40939

Details

Incorrect Default Permissions in Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2025-05-01T13:29:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-mxvq-cv4x-p3jw/GHSA-mxvq-cv4x-p3jw.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-mxvq-cv4x-p3jw
Finding: F159
Auto approve: 1