Description

The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.

Related CPE's

a

liferay

digital_experience_platform

2

a

liferay

liferay_portal

Vulnerable

References

http://liferay.com

Vendor Advisory

https://issues.liferay.com/browse/LPE-17607

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127

Vendor Advisory

http://liferay.com

Vendor Advisory

https://issues.liferay.com/browse/LPE-17607

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-276

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-276

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2022-11-15T00:15:13.347Z

3 years ago

Last modified

2025-04-30T13:15:56.417Z

10 months ago