CVE-2022-48367
https://notcve.org/view.php?id=CVE-2022-48367
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x • CWE-862: Missing Authorization •
CVE-2022-48366
https://notcve.org/view.php?id=CVE-2022-48366
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2 https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2022-42124
https://notcve.org/view.php?id=CVE-2022-42124
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype. Vulnerabilidad ReDoS en LayoutPageTemplateEntryUpgradeProcess en Liferay Portal 7.3.2 hasta 7.4.3.4 y Liferay DXP 7.2 fix pack 9 hasta fix pack 18, 7.3 antes de la actualización 4 y DXP 7.4 GA permite a atacantes remotos consumir una cantidad excesiva de recursos del servidor a través de un payload manipulado inyectado en el campo 'nombre' de un prototipo de diseño. • http://liferay.com https://issues.liferay.com/browse/LPE-17435 https://issues.liferay.com/browse/LPE-17535 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42124 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-42130
https://notcve.org/view.php?id=CVE-2022-42130
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. El módulo Dynamic Data Mapping en Liferay Portal 7.1.0 a 7.4.3.4 y Liferay DXP 7.1 antes del fixpack 27, 7.2 antes del fixpack 19, 7.3 antes de la actualización 4 y 7.4 GA no comprueba correctamente el permiso de las entradas del formulario, lo que permite usuarios remotos autenticados para ver y acceder a todas las entradas del formulario. • http://liferay.com https://issues.liferay.com/browse/LPE-17447 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130 • CWE-276: Incorrect Default Permissions •
CVE-2022-42126
https://notcve.org/view.php?id=CVE-2022-42126
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI. El módulo Asset Libraries en Liferay Portal 7.3.5 a 7.4.3.28, y Liferay DXP 7.3 antes de la actualización 8, y DXP 7.4 antes de la actualización 29 no verifica correctamente los permisos de las librerías de activos, lo que permite a los usuarios remotos autenticados ver las librerías de activos a través de la interfaz de usuario. • http://liferay.com https://issues.liferay.com/browse/LPE-17593 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126 •