CVE-2022-42126 The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8 and 7.4 before update 29 doesn't properly check permissions, which allows remote attackers to view asset libraries.

CVE-2022-42126 The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8 and 7.4 before update 29 doesn't properly check permissions, which allows remote attackers to view asset libraries.

This issue has been addressed by revoking the ability to view asset libraries via the UI. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote authenticated users to view and create new asset libraries via the UI, which allows for remote uploading of arbitrary files and enabling of HTML code injection attacks. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote authenticated users to upload arbitrary files via the asset library upload form, which allows for remote code injection attacks. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote unauthenticated users to view asset libraries via the UI, which allows for remote file disclosure via the asset library listing form. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote unauthenticated users to view asset libraries via the UI. This issue has been resolved in the 7.5.0 version.

Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 allows remote authenticated users to upload arbitrary files via the asset library upload form, which allows for

Credit

Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote authenticated users to view asset libraries via the UI, which allows for remote code injection attacks. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote unauthenticated users to view asset libraries via the UI, which allows for remote file disclosure via the asset library listing form. This issue has been resolved in the 7.5.0 version

Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote unauthenticated users to view asset libraries via the UI

DXP 7.5.0

The issue has been resolved in the 7.5.0 version

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe