Description
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
Remediation
References
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126
https://issues.liferay.com/browse/LPE-17593
http://liferay.com
Related Vulnerabilities
CVE-2022-42466 Vulnerability in maven package org.apache.isis.core:isis-applib
CVE-2023-40014 Vulnerability in npm package @openzeppelin/contracts
CVE-2023-25761 Vulnerability in maven package org.jenkins-ci.plugins:junit
CVE-2017-5662 Vulnerability in maven package batik:batik-dom
CVE-2017-4973 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server