Vulnerability Details CVE-2022-26595
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.0%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- http://liferay.com
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list
- http://liferay.com
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-list
Products affected by CVE-2022-26595
-
cpe:2.3:a:liferay:digital_experience_platform:7.2
-
cpe:2.3:a:liferay:digital_experience_platform:7.3
-
cpe:2.3:a:liferay:liferay_portal:7.3.7
-
cpe:2.3:a:liferay:liferay_portal:7.4.0
-
cpe:2.3:a:liferay:liferay_portal:7.4.1