The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:16
Type | Values Removed | Values Added |
---|---|---|
References | () http://liferay.com - Vendor Advisory | |
References | () https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default - Vendor Advisory | |
References | () https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_assetEntryId=120882524&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_HbL5mxmVrnXW_redirect=https%3A%2F%2Fportal.liferay.dev%3A443%2Flearn%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetP - Patch, Vendor Advisory |
Information
Published : 2022-03-02 19:15
Updated : 2024-11-21 06:16
NVD link : CVE-2021-38268
Mitre link : CVE-2021-38268
CVE.ORG link : CVE-2021-38268
JSON object : View
Products Affected
liferay
- liferay_portal
- digital_experience_platform
CWE
CWE-276
Incorrect Default Permissions