CVE-2022-39975

MEDIUM

Liferay DXP 7.3-7.4 and Liferay Portal 7.3.3-7.4.3.34 - Unauthenticated Information Disclosure via Content Page Preview

Title source: llm

Description

The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.

References (2)

Core 2

Core References

Product x_refsource_misc

http://liferay.com

Patch, Vendor Advisory x_refsource_misc

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975

Scores

CVSS v3 4.3

EPSS 0.0016

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (4)

com.liferay.portal/release.portal.bom 7.3.3 - 7.4.3.35Maven

liferay/dxp 7.3 (10 CPE variants)

liferay/dxp 7.4 update_1 (34 CPE variants)

liferay/liferay_portal 7.3.3 - 7.4.3.35

Published Sep 22, 2022

Tracked Since Feb 18, 2026