CVE-2022-42129

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the formInstanceRecordId parameter.

Published: Nov 15, 2022
Updated: May 10, 2024
CVE: CVE-2022-42129
GHSA: GHSA-g6x4-57hp-j4xm
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
liferay / digital_experience_platform	7.3	7.3.x
liferay / liferay_portal	7.3.2	7.4.3.5
liferay / digital_experience_platform	7.4	7.4.x
com.liferay.portal / release.portal.bom	7.3.2	7.4.3.5

http://liferay.com
https://issues.liferay.com/browse/LPE-17448
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Vulnerability Database

289,782

CVE-2022-42129