CVE-2022-26595

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.

Published: Apr 19, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-26595
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-276

Affected Software
References

Software	From	Fixed in
liferay / liferay_portal	7.4.0	7.4.0.x
liferay / digital_experience_platform	7.2-fix_pack_13	7.2-fix_pack_13.x
liferay / digital_experience_platform	7.3-fix_pack_2	7.3-fix_pack_2.x
liferay / liferay_portal	7.4.1	7.4.1.x
liferay / liferay_portal	7.3.7	7.3.7.x

http://liferay.com
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list

Vulnerability Database

289,784

CVE-2022-26595