CVE-2021-38268

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.

Published: Mar 2, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-38268
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-276

Affected Software
References

Software	From	Fixed in
liferay / digital_experience_platform	7.2-fix_pack_1	7.2-fix_pack_1.x
liferay / digital_experience_platform	7.2-fix_pack_2	7.2-fix_pack_2.x
liferay / digital_experience_platform	7.2-fix_pack_3	7.2-fix_pack_3.x
liferay / digital_experience_platform	7.2-fix_pack_5	7.2-fix_pack_5.x
liferay / digital_experience_platform	7.2-fix_pack_4	7.2-fix_pack_4.x
liferay / liferay_portal	7.0.0	7.3.7
liferay / digital_experience_platform	7.2-fix_pack_6	7.2-fix_pack_6.x
liferay / digital_experience_platform	7.2-fix_pack_7	7.2-fix_pack_7.x
liferay / digital_experience_platform	7.2-fix_pack_8	7.2-fix_pack_8.x
liferay / digital_experience_platform	7.2-fix_pack_9	7.2-fix_pack_9.x
liferay / digital_experience_platform	7.3-fix_pack_1	7.3-fix_pack_1.x
liferay / digital_experience_platform	7.3	7.3.x
liferay / digital_experience_platform	-	7.2.1

Vulnerability Database

289,784

CVE-2021-38268