Moderate severityNVD Advisory· Published Nov 15, 2022· Updated Apr 30, 2025

CVE-2022-42130

Description

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Liferay Portal and DXP Dynamic Data Mapping module lacks proper permission checks, allowing authenticated users to view all form entries.

The Dynamic Data Mapping (DDM) module in Liferay Portal 7.1.0 through 7.4.3.4 and several Liferay DXP versions fails to properly verify permissions when accessing form entries. This flaw allows a remote authenticated user to view and access any form entry stored in the system, regardless of intended access controls [1].

An attacker with valid credentials (remote authenticated user) can exploit this vulnerability by directly requesting form entry endpoints that lack proper authorization checks. No special privileges or network position beyond standard user access is required, as the missing permission check applies globally to all form entries.

The impact is unauthorized disclosure of potentially sensitive data submitted through forms, including personal, financial, or business information. This could lead to privacy violations, data leaks, or compliance issues depending on the nature of the data collected.

Liferay has addressed the issue in fix packs and updates for the affected versions: DXP 7.1 fix pack 27, 7.2 fix pack 19, 7.3 update 4, and Portal 7.4.3.5+. Users should apply the latest updates to mitigate the risk [1].

References

NVD - CVE-2022-42130

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.1.0, < 7.4.3.5	7.4.3.5

Affected products

Liferay/Liferay Portaldescription
osv-coords2 versions
pkg:bitnami/liferay pkg:maven/com.liferay.portal/release.portal.bom
>= 7.1.0, <= 7.1.0+ 1 more
- (no CPE)range: >= 7.1.0, <= 7.1.0
- (no CPE)range: >= 7.1.0, < 7.4.3.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-mxvq-cv4x-p3jwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-42130ghsaADVISORY
liferay.comghsaWEB
issues.liferay.com/browse/LPE-17447ghsaWEB
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42130ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000