Insecure Direct Object Reference in Liferay Portal and DXP
CVE-2022-42129

4.3MEDIUM

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 15 November 2022

What is CVE-2022-42129?

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Dynamic Data Mapping module of Liferay Portal and Liferay DXP, allowing remote authenticated users to view and access unauthorized form entries. This vulnerability arises due to improper validation of user-provided parameters, specifically the formInstanceRecordId. It affects Liferay Portal versions from 7.3.2 to 7.4.3.4, and Liferay DXP prior to the 4th update of version 7.3, as well as Liferay DXP 7.4 GA.

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabi...

https://issues.liferay.com/browse/LPE-17448

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Oct 3, 2022