Skip to main content

CVE-2022-39975: n/a in n/a

Medium
VulnerabilityCVE-2022-39975cvecve-2022-39975
Published: Wed Sep 21 2022 (09/21/2022, 23:35:57 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.

AI-Powered Analysis

AILast updated: 07/06/2025, 02:25:05 UTC

Technical Analysis

CVE-2022-39975 is a medium-severity vulnerability affecting certain versions of Liferay Portal and Liferay DXP, specifically versions 7.3.3 through 7.4.3.34 for Liferay Portal, and Liferay DXP 7.3 before update 10 and 7.4 before update 35. The vulnerability resides in the Layout module, which fails to properly enforce user permission checks before displaying the preview of a "Content Page" type page. This flaw allows an attacker with at least some level of privileges (PR:L indicates privileges required) to manipulate URLs to access unpublished content pages that should normally be restricted. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The impact is limited to confidentiality, as attackers can view content that is not yet published, but it does not affect integrity or availability. The CVSS 3.1 base score is 4.3, reflecting a medium severity. The underlying weakness is categorized under CWE-862, which relates to improper authorization. There are no known exploits in the wild, and no official patches or updates are linked in the provided data, although Liferay likely has released updates beyond the affected versions to address this issue. The vulnerability primarily affects organizations using the specified Liferay Portal and DXP versions, potentially exposing sensitive unpublished content to unauthorized internal or external users who have some level of access but should not see draft content previews.

Potential Impact

For European organizations using vulnerable versions of Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized disclosure of sensitive unpublished content. This may include internal communications, marketing materials, product launches, or other confidential information that is staged for publication but not yet approved. Such information leakage could damage competitive positioning, violate data protection policies, or expose intellectual property. While the vulnerability does not allow modification or disruption of services, the confidentiality breach could have regulatory implications under GDPR if personal data is exposed. Organizations in sectors such as finance, government, healthcare, and media, which often use Liferay for content management and intranet portals, may be particularly at risk. The ability to preview unpublished pages without proper authorization undermines content governance and could erode trust in internal content management processes.

Mitigation Recommendations

European organizations should immediately verify their Liferay Portal and DXP versions and upgrade to versions beyond those affected (i.e., versions after 7.4.3.34 for Portal and after update 35 for DXP 7.4). If immediate upgrading is not feasible, organizations should implement strict access controls limiting who can preview content pages, ensuring only fully authorized users have preview permissions. Additionally, web application firewalls (WAFs) can be configured to detect and block suspicious URL manipulation attempts targeting preview endpoints. Conducting thorough audits of user permissions and roles within Liferay is critical to minimize privilege escalation risks. Monitoring access logs for unusual preview page requests can help detect exploitation attempts. Finally, organizations should engage with Liferay support or security advisories to obtain official patches or guidance and apply them promptly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-09-06T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68360ee1182aa0cae22072ae

Added to database: 5/27/2025, 7:13:37 PM

Last enriched: 7/6/2025, 2:25:05 AM

Last updated: 8/15/2025, 9:30:10 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats