Description
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17075
Scores
CVSS v3
4.3
EPSS
0.0011
EPSS Percentile
28.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-276
Status
published
Products (6)
com.liferay/com.liferay.portlet.configuration.web
0 - 4.0.13Maven
com.liferay.portal/release.dxp.bom
7.0.10.fp93 - 7.0.10.fp95Maven
liferay/digital_experience_platform
7.0 fix_pack_93 (2 CPE variants)
liferay/digital_experience_platform
7.1 fix_pack_18
liferay/digital_experience_platform
7.2 (8 CPE variants)
liferay/liferay_portal
7.2.0 - 7.3.4
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026