CVE-2022-39975 - Vulnerability Details

The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Liferay	Dxp Liferay Portal

Configuration 1 [-]

OR	cpe:2.3:a:liferay:dxp:7.3:-::::::
	cpe:2.3:a:liferay:dxp:7.3:update_1::::::
	cpe:2.3:a:liferay:dxp:7.3:update_2::::::
	cpe:2.3:a:liferay:dxp:7.3:update_3::::::
	cpe:2.3:a:liferay:dxp:7.3:update_4::::::
	cpe:2.3:a:liferay:dxp:7.3:update_5::::::
	cpe:2.3:a:liferay:dxp:7.3:update_6::::::
	cpe:2.3:a:liferay:dxp:7.3:update_7::::::
	cpe:2.3:a:liferay:dxp:7.3:update_8::::::
	cpe:2.3:a:liferay:dxp:7.3:update_9::::::
	cpe:2.3:a:liferay:dxp:7.4:update_1::::::
	cpe:2.3:a:liferay:dxp:7.4:update_10::::::
	cpe:2.3:a:liferay:dxp:7.4:update_11::::::
	cpe:2.3:a:liferay:dxp:7.4:update_12::::::
	cpe:2.3:a:liferay:dxp:7.4:update_13::::::
	cpe:2.3:a:liferay:dxp:7.4:update_14::::::
	cpe:2.3:a:liferay:dxp:7.4:update_15::::::
	cpe:2.3:a:liferay:dxp:7.4:update_16::::::
	cpe:2.3:a:liferay:dxp:7.4:update_17::::::
	cpe:2.3:a:liferay:dxp:7.4:update_18::::::
	cpe:2.3:a:liferay:dxp:7.4:update_19::::::
	cpe:2.3:a:liferay:dxp:7.4:update_2::::::
	cpe:2.3:a:liferay:dxp:7.4:update_20::::::
	cpe:2.3:a:liferay:dxp:7.4:update_21::::::
	cpe:2.3:a:liferay:dxp:7.4:update_22::::::
	cpe:2.3:a:liferay:dxp:7.4:update_23::::::
	cpe:2.3:a:liferay:dxp:7.4:update_24::::::
	cpe:2.3:a:liferay:dxp:7.4:update_25::::::
	cpe:2.3:a:liferay:dxp:7.4:update_26::::::
	cpe:2.3:a:liferay:dxp:7.4:update_27::::::
	cpe:2.3:a:liferay:dxp:7.4:update_28::::::
	cpe:2.3:a:liferay:dxp:7.4:update_29::::::
	cpe:2.3:a:liferay:dxp:7.4:update_3::::::
	cpe:2.3:a:liferay:dxp:7.4:update_30::::::
	cpe:2.3:a:liferay:dxp:7.4:update_31::::::
	cpe:2.3:a:liferay:dxp:7.4:update_32::::::
	cpe:2.3:a:liferay:dxp:7.4:update_33::::::
	cpe:2.3:a:liferay:dxp:7.4:update_34::::::
	cpe:2.3:a:liferay:dxp:7.4:update_4::::::
	cpe:2.3:a:liferay:dxp:7.4:update_5::::::
	cpe:2.3:a:liferay:dxp:7.4:update_6::::::
	cpe:2.3:a:liferay:dxp:7.4:update_7::::::
	cpe:2.3:a:liferay:dxp:7.4:update_8::::::
	cpe:2.3:a:liferay:dxp:7.4:update_9::::::
	cpe:2.3:a:liferay:liferay_portal::::::::

No data.

References

Link	Providers
http://liferay.com
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975

History

Tue, 27 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-21T23:35:57.000Z

Updated: 2025-05-27T18:56:16.035Z

Reserved: 2022-09-06T00:00:00.000Z

Link: CVE-2022-39975

Vulnrichment

Updated: 2024-08-03T12:07:42.971Z

NVD

Status : Modified

Published: 2022-09-22T00:15:10.310

Modified: 2025-05-27T19:15:22.957

Link: CVE-2022-39975

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object