Vulnerability Description
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Digital Experience Platform | < 7.2.1 |
| Liferay | Liferay Portal | >= 7.0.0, < 7.3.7 |
Related Weaknesses (CWE)
References
- http://liferay.comVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishePatchVendor Advisory
- http://liferay.comVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishePatchVendor Advisory
FAQ
What is CVE-2021-38268?
CVE-2021-38268 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly set...
How severe is CVE-2021-38268?
CVE-2021-38268 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38268?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Digital Experience Platform, Liferay Liferay Portal.