CVE-2022-39975
Description
Liferay Portal and DXP fail to check user permissions when showing previews of unpublished 'Content Page' pages, allowing unauthenticated access via URL manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP fail to check user permissions when showing previews of unpublished 'Content Page' pages, allowing unauthenticated access via URL manipulation.
Vulnerability
Overview
The Layout module in Liferay Portal versions 7.3.3 through 7.4.3.34, and Liferay DXP versions 7.3 before update 10 and 7.4 before update 35, does not enforce user permission checks when displaying the preview of a 'Content Page' type page [1]. This flaw allows attackers to view unpublished 'Content Page' pages that should be restricted until publication [1].
Exploitation
An attacker can exploit this vulnerability by directly manipulating the URL to access a 'Content Page' preview, bypassing the intended permission checks [1]. No authentication or special privileges are required, making the attack vector easily accessible to anyone who knows or can guess the page identifier [1].
Impact
Successful exploitation results in unauthorized viewing of unpublished content. This can lead to information disclosure, as sensitive or draft content intended for internal use or future publication is exposed prematurely [1].
Mitigation
Liferay has released patched versions that correct the permission check: update 10 for Liferay DXP 7.3 and update 35 for Liferay DXP 7.4, and later versions of Liferay Portal are not affected [1]. Users should apply the recommended updates or restrict network access to the vulnerable endpoint until patches can be deployed.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.3.3, < 7.4.3.35 | 7.4.3.35 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-83qx-288m-72w4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39975ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-39975ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.