CVE-2022-42128

Published: Nov 15, 2022Modified: Apr 30, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

Affected (2)

Products: Liferay: Digital Experience Platform, Liferay Portal

2 products

Digital Experience Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Version 7.4
Liferay Liferay Portal	From 7.4.1 to 7.4.3.5

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (6)

http://liferay.com

Source: cve@mitre.org

Vendor Advisory

https://issues.liferay.com/browse/LPE-17595

Source: cve@mitre.org

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128

Source: cve@mitre.org

Vendor Advisory

http://liferay.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://issues.liferay.com/browse/LPE-17595

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.