Description
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17001
Scores
CVSS v3
4.3
EPSS
0.0012
EPSS Percentile
30.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-276
Status
published
Products (5)
com.liferay.portal/release.dxp.bom
0 - 7.1.10.fp20Maven
com.liferay.portal/release.portal.bom
7.1.0 - 7.3.2Maven
liferay/digital_experience_platform
7.1 (20 CPE variants)
liferay/digital_experience_platform
7.2 (5 CPE variants)
liferay/liferay_portal
7.1.0 - 7.3.2
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026