Description

The Dynamic Data Mapping module in Liferay Portal through v7.3.6 and Liferay DXP through v7.3 incorrectly sets default permissions for site members, allowing authenticated attackers to add and duplicate forms via the UI or the API.

Remediation

References

CVE-2021-38268

Related Vulnerabilities

phpBB Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2007-5173)

Contao Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2019-10641)

PrestaShop Incorrect Authorization Vulnerability (CVE-2020-5288)

WordPress Plugin Quiz And Survey Master-Best Quiz, Exam and Survey SQL Injection (7.1.11)

WordPress Plugin WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection-StopBadBots Cross-Site Scripting (6.61)

Severity

Medium

Classification

CVE-2021-38268 CWE-276 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities