[LPE-17039] Unauthorized users can view forms and form entries - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Forms, Security Vulnerability
Labels:

CVE IDs:
CVE-2021-33334
CVSS Base Score:
4.3
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.0 Fix Pack Version:
94
7.1 Fix Pack Version:
19
7.2 Fix Pack Version:
6

Description

Forms in Liferay DXP 7.0, 7.1 and 7.2 does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms in the site and the form entries via the forms section in site administration.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Jun/20 10:49 AM

Updated:: 02/Aug/21 12:15 AM

Resolved:: 29/Jun/20 3:45 AM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE