Liferay: >> Liferay Portal >> 7.4.3.7 Security Vulnerabilities
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-09-22
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-03-03
Page 16