Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

https://issues.liferay.com/browse/LPE-17448

Related Vulnerabilities

CVE-2022-40705 Vulnerability in maven package soap:soap

CVE-2017-4974 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

CVE-2023-30609 Vulnerability in npm package matrix-react-sdk

CVE-2017-7672 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-5929 Vulnerability in maven package ch.qos.logback:logback-core

Severity

Medium

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory