First published: Tue Apr 19 2022(Updated: )
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.2-fix_pack_13 | |
Liferay Digital Experience Platform | =7.3-fix_pack_2 | |
Liferay Liferay Portal | =7.3.7 | |
Liferay Liferay Portal | =7.4.0 | |
Liferay Liferay Portal | =7.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-26595 is a vulnerability in Liferay Portal and Liferay DXP that allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
CVE-2022-26595 has a severity rating of medium (4.3).
Liferay Portal versions 7.3.7, 7.4.0, and 7.4.1, as well as Liferay DXP versions 7.2 fix pack 13 and 7.3 fix pack 2 are affected by CVE-2022-26595.
Remote authenticated users can exploit CVE-2022-26595 by accessing a list of sites/groups via the user's site membership assignment UI.
Yes, a fix is available. Please refer to the official Liferay Portal documentation and security advisories for more information on how to apply the fix.