GHSA-5x9h-p2gx-35mg

Suggest an improvement
Source
https://github.com/advisories/GHSA-5x9h-p2gx-35mg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-5x9h-p2gx-35mg/GHSA-5x9h-p2gx-35mg.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5x9h-p2gx-35mg
Aliases
Published
2022-11-15T12:00:16Z
Modified
2023-12-06T00:47:37.467623Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Incorrect Default Permissions in Liferay Portal
Details

The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.

Database specific
{
    "nvd_published_at": "2022-11-15T01:15:00Z",
    "github_reviewed_at": "2022-11-21T23:46:18Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-276"
    ]
}
References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name
com.liferay.portal:release.portal.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.4.3.5
Fixed
7.4.3.48

Affected versions

7.*

7.4.3.5
7.4.3.6
7.4.3.7
7.4.3.8
7.4.3.9
7.4.3.10
7.4.3.11
7.4.3.12
7.4.3.13
7.4.3.14
7.4.3.15
7.4.3.16
7.4.3.17
7.4.3.18
7.4.3.19
7.4.3.20
7.4.3.20-ga20
7.4.3.21
7.4.3.21-ga21
7.4.3.22
7.4.3.23
7.4.3.24
7.4.3.25
7.4.3.26
7.4.3.27
7.4.3.28
7.4.3.29
7.4.3.30
7.4.3.31
7.4.3.32
7.4.3.33
7.4.3.34
7.4.3.35
7.4.3.36
7.4.3.37
7.4.3.38
7.4.3.39
7.4.3.40
7.4.3.41
7.4.3.42
7.4.3.43
7.4.3.44
7.4.3.45
7.4.3.46
7.4.3.47

Database specific

{
    "last_known_affected_version_range": "<= 7.4.3.36"
}