Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04M3F4LTI4OG0tNzJ3NM4AAvAO
Liferay Portal Missing Authorization vulnerability
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
Permalink: https://github.com/advisories/GHSA-83qx-288m-72w4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04M3F4LTI4OG0tNzJ3NM4AAvAO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-83qx-288m-72w4, CVE-2022-39975
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-39975
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975
- http://liferay.com
- https://github.com/advisories/GHSA-83qx-288m-72w4
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.3.3, < 7.4.3.35
Fixed in: 7.4.3.35
All affected versions: 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2