CVE-2022-42126 The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8 and 7.4 before update 29 doesn't properly check permissions, which allows remote attackers to view asset libraries.

This issue has been addressed by revoking the ability to view asset libraries via the UI. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote authenticated users to view and create new asset libraries via the UI, which allows for remote uploading of arbitrary files and enabling of HTML code injection attacks. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote authenticated users to upload arbitrary files via the asset library upload form, which allows for remote code injection attacks. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote unauthenticated users to view asset libraries via the UI, which allows for remote file disclosure via the asset library listing form. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote unauthenticated users to view asset libraries via the UI. This issue has been resolved in the 7.5.0 version.

Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 allows remote authenticated users to upload arbitrary files via the asset library upload form, which allows for

Credit

Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote authenticated users to view asset libraries via the UI, which allows for remote code injection attacks. This issue has been resolved in the 7.5.0 version. Liferay DXP 7.3 before update 8 and DXP 7.4 before update 29 allows remote unauthenticated users to view asset libraries via the UI, which allows for remote file disclosure via the asset library listing form. This issue has been resolved in the 7.5.0 version

Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote unauthenticated users to view asset libraries via the UI

DXP 7.5.0

The issue has been resolved in the 7.5.0 version

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/18/2022 16:55:00 UTC

References

• https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126
• https://issues.liferay.com/browse/LPE-17593
• http://liferay.com
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42126