CVE-2022-42129: Authorization Bypass Through User-Controlled Key

November 15, 2022 (updated November 21, 2022)

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the formInstanceRecordId parameter.

References

liferay.com/
github.com/advisories/GHSA-g6x4-57hp-j4xm
issues.liferay.com/browse/LPE-17448
nvd.nist.gov/vuln/detail/CVE-2022-42129
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42129

Code Behaviors & Features

Detect and mitigate CVE-2022-42129 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →