Description
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17049
Scores
CVSS v3
7.5
EPSS
0.0042
EPSS Percentile
61.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-312
Status
published
Products (5)
com.liferay/com.liferay.dynamic.data.mapping.form.web
0 - 3.0.23Maven
com.liferay.portal/release.dxp.bom
7.1.0 - 7.1.10.fp19Maven
liferay/digital_experience_platform
7.1 (19 CPE variants)
liferay/digital_experience_platform
7.2 (7 CPE variants)
liferay/liferay_portal
7.1.0 - 7.3.1
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026