CVE-2022-38512

The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.

Published: Sep 22, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-38512
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
liferay / liferay_portal	7.4.3.12	7.4.3.36.x
liferay / dxp	7.4-update_3	7.4-update_3.x
liferay / dxp	7.4-update_9	7.4-update_9.x
liferay / dxp	7.4-update_8	7.4-update_8.x
liferay / dxp	7.4-update_10	7.4-update_10.x
liferay / dxp	7.4-update_11	7.4-update_11.x
liferay / dxp	7.4-update_12	7.4-update_12.x
liferay / dxp	7.4-update_14	7.4-update_14.x
liferay / dxp	7.4-update_13	7.4-update_13.x
liferay / dxp	7.4-update_15	7.4-update_15.x
liferay / dxp	7.4-update_16	7.4-update_16.x
liferay / dxp	7.4-update_18	7.4-update_18.x
liferay / dxp	7.4-update_17	7.4-update_17.x
liferay / dxp	7.4-update_19	7.4-update_19.x
liferay / dxp	7.4-update_20	7.4-update_20.x
liferay / dxp	7.4-update_21	7.4-update_21.x
liferay / dxp	7.4-update_22	7.4-update_22.x
liferay / dxp	7.4-update_23	7.4-update_23.x
liferay / dxp	7.4-update_24	7.4-update_24.x
liferay / dxp	7.4-update_25	7.4-update_25.x
liferay / dxp	7.4-update_26	7.4-update_26.x
liferay / dxp	7.4-update_27	7.4-update_27.x
liferay / dxp	7.4-update_28	7.4-update_28.x
liferay / dxp	7.4-update_29	7.4-update_29.x
liferay / dxp	7.4-update_30	7.4-update_30.x
liferay / dxp	7.4-update_31	7.4-update_31.x
liferay / dxp	7.4-update_32	7.4-update_32.x
liferay / dxp	7.4-update_33	7.4-update_33.x
liferay / dxp	7.4-update_34	7.4-update_34.x
liferay / dxp	7.4-update_36	7.4-update_36.x
liferay / dxp	7.4-update_35	7.4-update_35.x

Vulnerability Database

290,020

CVE-2022-38512