[LPE-17447] LSV-988: Unauthorized access to form entries via API - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.1.x EE, 7.2.X EE
Component/s: Forms, Security Vulnerability
Labels:
- liferay-fixpack-dxp-19-7210
- liferay-fixpack-dxp-27-7110

CVE IDs:
CVE-2022-42130
CVSS Base Score:
4.3
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.1 Fix Pack Version:
27
7.2 Fix Pack Version:
19
7.3 Fix Pack Version:
4
7.4 Fix Pack Version:
1

Description

The Dynamic Data Mapping module in Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries via the API.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 13/Dec/21 6:12 AM

Updated:: 19/Oct/22 12:17 AM

Resolved:: 04/Jul/22 2:48 PM

Packages

Version	Package
7.1.x EE
7.2.X EE