CVE-2021-38268

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-38268

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38268.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-38268

Aliases

BIT-liferay-2021-38268

Published

2022-03-02T19:15:07Z

Modified

2025-03-05T11:50:44.799500Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.

References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ded0e9390637985231e962e4ad4cfa4639eabb26

Affected versions

6.*

6.1.0-b1

6.1.0-b2

6.1.0-b3

6.1.0-b4

6.1.0-rc1

6.2.0-b1

6.2.0-b2

6.2.0-m2

6.2.0-m3

6.2.0-m4

6.2.0-m5

6.2.0-m6

7.*

7.0.0-m1

7.0.0-m2

7.0.0-m3

7.0.0-m4

7.0.0-m5

7.1.0-a1

7.1.0-a2

7.1.0-b1

7.1.0-b2

7.1.0-m1

7.1.0-m2

7.2.0-a1

7.2.0-b1

7.2.0-b2

7.2.0-b3

7.2.0-ga1

7.2.0-m2

7.2.0-rc2

7.2.0-rc3

sync-3.*

sync-3.0.0-b1

sync-3.0.1-b2

sync-3.0.10-ga2

sync-3.0.2-b3

sync-3.0.3-b4

sync-3.0.4-b5

sync-3.0.5-b6

sync-3.0.6-b7

sync-3.0.7-b8

sync-3.0.8-b9

sync-3.0.9-ga1

sync-3.1.0-ga1