Moderate severityNVD Advisory· Published Nov 15, 2022· Updated Apr 30, 2025

CVE-2022-42127

Description

The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Friendly Url module in Liferay Portal 7.4.3.5-36 and DXP 7.4 update 1-36 fails to check permissions, allowing remote attackers to retrieve the assignment history of all friendly URLs.

The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36 and Liferay DXP 7.4 update 1 through 36 does not properly validate user permissions when accessing friendly URL history. This flaw enables remote attackers to view the complete history of all friendly URLs assigned to a page, which may expose sensitive information about page revisions or configuration changes.

An attacker can exploit this vulnerability remotely without authentication by sending crafted requests to the affected module. The lack of proper permission checks means that any user, regardless of role, can enumerate the friendly URL assignments and their historical records. No special network position or privileges are required, making the attack surface broad [1].

Successful exploitation allows an attacker to obtain a list of all friendly URLs that have ever been assigned to any page on the system. This information leakage could aid in mapping the site structure, identifying renamed or deleted pages, and potentially uncovering administrative or sensitive areas based on URL patterns.

As of the publication date, no patch or workaround has been announced for this vulnerability. Organizations running the affected versions should consider applying any available updates from Liferay and monitor for an official fix. The confidentiality impact is high due to the exposure of historical URL data, though the integrity and availability of the system remain unaffected.

References

NVD - CVE-2022-42127

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.4.3.5, < 7.4.3.48	7.4.3.48

Affected products

Liferay/Liferay Portaldescription
osv-coords2 versions
pkg:bitnami/liferay pkg:maven/com.liferay.portal/release.portal.bom
>= 7.4-update1.0, <= 7.4-update1.0+ 1 more
- (no CPE)range: >= 7.4-update1.0, <= 7.4-update1.0
- (no CPE)range: >= 7.4.3.5, < 7.4.3.48

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5x9h-p2gx-35mgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-42127ghsaADVISORY
liferay.comghsaWEB
issues.liferay.com/browse/LPE-17607ghsaWEB
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42127ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000