Skip to main content

Incorrect Default Permissions

CVE-2022-42128

Severity Medium
Score 5.3/10

Summary

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the 'WikiNodeResource.getSiteWikiNodeByExternalReferenceCode' API.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-276 - Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Advisory Timeline

  • Published