Description

The Dynamic Data Mapping module in Liferay Portal through v7.3.6 and Liferay DXP through v7.3 incorrectly sets default permissions for site members, allowing authenticated attackers to add and duplicate forms via the UI or the API.

Remediation

References

CVE-2021-38268

Related Vulnerabilities

Jetty Uncontrolled Resource Consumption Vulnerability (CVE-2020-27223)

WordPress Plugin WordPress Infinite Scroll-Ajax Load More Cross-Site Scripting (5.6.0.2)

WordPress Plugin Livemesh Addons for Elementor Security Bypass (2.5.2)

WordPress Plugin 3D Flick Slideshow 'upload.php' Arbitrary File Upload (2.1)

Magento Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Vulnerability (CVE-2019-8126)

Severity

Medium

Classification

CVE-2021-38268 CWE-276 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities