Design/Logic Flaw

2021-08-0321:15:00

PRIOn knowledge base

www.prio-n.com

4.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.3%

JSON

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms “Access in Site Administration” permission to view all forms and form entries in a site via the forms section in site administration.

CPENameOperatorVersion
dxpeq7.0 fixpack81
dxpeq7.0 fixpack13
dxpeq7.0 fixpack14
dxpeq7.0 fixpack24
dxpeq7.0 fixpack25
dxpeq7.0 fixpack26
dxpeq7.0 fixpack27
dxpeq7.0 fixpack28
dxpeq7.0 fixpack3
dxpeq7.0 fixpack30

Name	Operator	Version
dxp	eq	7.0 fixpack81
dxp	eq	7.0 fixpack13
dxp	eq	7.0 fixpack14
dxp	eq	7.0 fixpack24
dxp	eq	7.0 fixpack25
dxp	eq	7.0 fixpack26
dxp	eq	7.0 fixpack27
dxp	eq	7.0 fixpack28
dxp	eq	7.0 fixpack3
dxp	eq	7.0 fixpack30