CVE-2022-38512

The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://liferay.com	Product
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512	Release Notes Vendor Advisory

Configurations

Configuration 1

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_29:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_30:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_31:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_32:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_33:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_34:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_36:*:*:*:*:*:*

cpe:2.3:a:liferay:dxp:7.4:update_35:*:*:*:*:*:*

History

24 Jan 2023, 16:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:predictapp_project:predictapp::::::::
References	~~(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 -~~	(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/abhilash1985/PredictApp/pull/73 -~~	(MISC) https://github.com/abhilash1985/PredictApp/pull/73 - Patch, Third Party Advisory
References	~~(MISC) https://vuldb.com/?id.218387 -~~	(MISC) https://vuldb.com/?id.218387 - Third Party Advisory
References	~~(MISC) https://vuldb.com/?ctiid.218387 -~~	(MISC) https://vuldb.com/?ctiid.218387 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Predictapp Project predictapp Predictapp Project

16 Jan 2023, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-22 01:15

Updated : 2022-09-26 03:43

NVD link : CVE-2022-38512

Mitre link : CVE-2022-38512

Products Affected

No products.

CWE

CWE-269