Insecure Permissions in Liferay Portal and DXP WikiNode API
CVE-2022-42128

5.3MEDIUM

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 15 November 2022

What is CVE-2022-42128?

The Hypermedia REST APIs module in Liferay Portal and Liferay DXP has a significant flaw where it fails to properly validate permissions for API calls. This oversight allows remote attackers to exploit the vulnerable WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API, potentially gaining unauthorized access to sensitive WikiNode objects. Attackers leveraging this vulnerability could manipulate the API to retrieve data that should only be accessible to authorized users, posing a serious risk to the integrity of the affected systems.

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabi...

https://issues.liferay.com/browse/LPE-17595

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Oct 3, 2022