Description

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.

Remediation

References

http://liferay.com

https://issues.liferay.com/browse/LPE-17448

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Related Vulnerabilities

CVE-2015-7501 Vulnerability in maven package commons-collections:commons-collections

CVE-2021-21631 Vulnerability in maven package org.jenkins-ci.plugins:cloud-stats

CVE-2023-22849 Vulnerability in maven package org.apache.sling:org.apache.sling.cms.ui

CVE-2023-24442 Vulnerability in maven package org.jenkins-ci.plugins:github-pr-coverage-status

CVE-2018-7307 Vulnerability in npm package auth0-js

Severity

Medium

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory