Information disclosure in Liferay Enterprise Portal - CVE-2022-42129

 

Information disclosure in Liferay Enterprise Portal - CVE-2022-42129

Published: October 24, 2022


Vulnerability identifier: #VU68605
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-42129
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Liferay
Affected software:
Liferay Enterprise Portal

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an insecure direct object reference (IDOR) issue in the Dynamic Data Mapping module in the "formInstanceRecordId" parameter. A remote user can view and access form entries.


How to mitigate CVE-2022-42129

Install updates from vendor's website.

Sources