Vulnerability CVE-2021-38268

Vulnerability CVE-2021-38268

Published: 2022-03-02

Description:

The Dynamic Data Mapping module in Liferay Portal through v7.3.6 and Liferay DXP through v7.3 incorrectly sets default permissions for site members, allowing authenticated attackers to add and duplicate forms via the UI or the API.

Type:

CWE-276

(Incorrect Default Permissions)

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
4/10	2.9/10	8/10

Exploit range	Attack complexity	Authentication
Remote	Low	Single time
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
Liferay -> Digital experience platform
Liferay -> Liferay portal

References:

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38268-site-member-can-add-new-forms-by-default

Vulnerability CVE-2021-38268

The Dynamic Data Mapping module in Liferay Portal through v7.3.6 and Liferay DXP through v7.3 incorrectly sets default permissions for site members, allowing authenticated attackers to add and duplicate forms via the UI or the API.

CWE-276

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:N)

4/10

2.9/10

8/10

Remote

Low

Single time

None

Partial

None

Affected software

References: