The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
References
Link | Resource |
---|---|
http://liferay.com | Product |
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2022-09-21 17:15
Updated : 2022-09-23 11:17
NVD link : CVE-2022-39975
Mitre link : CVE-2022-39975
JSON object : View
CWE
CWE-862
Missing Authorization
Products Affected
liferay
- liferay_portal
- dxp