The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
References
Link | Resource |
---|---|
http://liferay.com | Product |
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2022-09-22 00:15
Updated : 2024-02-28 19:29
NVD link : CVE-2022-39975
Mitre link : CVE-2022-39975
CVE.ORG link : CVE-2022-39975
JSON object : View
Products Affected
liferay
- dxp
- liferay_portal
CWE
CWE-862
Missing Authorization