CVE-2022-39975 is a medium-severity vulnerability affecting certain versions of Liferay Portal and Liferay DXP, specifically versions 7.3.3 through 7.4.3.34 for Liferay Portal, and Liferay DXP 7.3 before update 10 and 7.4 before update 35. The vulnerability resides in the Layout module, which fails to properly enforce user permission checks before displaying the preview of a "Content Page" type page. This flaw allows an attacker with at least some level of privileges (PR:L indicates privileges required) to manipulate URLs to access unpublished content pages that should normally be restricted. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The impact is limited to confidentiality, as attackers can view content that is not yet published, but it does not affect integrity or availability. The CVSS 3.1 base score is 4.3, reflecting a medium severity. The underlying weakness is categorized under CWE-862, which relates to improper authorization. There are no known exploits in the wild, and no official patches or updates are linked in the provided data, although Liferay likely has released updates beyond the affected versions to address this issue. The vulnerability primarily affects organizations using the specified Liferay Portal and DXP versions, potentially exposing sensitive unpublished content to unauthorized internal or external users who have some level of access but should not see draft content previews.

For European organizations using vulnerable versions of Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized disclosure of sensitive unpublished content. This may include internal communications, marketing materials, product launches, or other confidential information that is staged for publication but not yet approved. Such information leakage could damage competitive positioning, violate data protection policies, or expose intellectual property. While the vulnerability does not allow modification or disruption of services, the confidentiality breach could have regulatory implications under GDPR if personal data is exposed. Organizations in sectors such as finance, government, healthcare, and media, which often use Liferay for content management and intranet portals, may be particularly at risk. The ability to preview unpublished pages without proper authorization undermines content governance and could erode trust in internal content management processes.

European organizations should immediately verify their Liferay Portal and DXP versions and upgrade to versions beyond those affected (i.e., versions after 7.4.3.34 for Portal and after update 35 for DXP 7.4). If immediate upgrading is not feasible, organizations should implement strict access controls limiting who can preview content pages, ensuring only fully authorized users have preview permissions. Additionally, web application firewalls (WAFs) can be configured to detect and block suspicious URL manipulation attempts targeting preview endpoints. Conducting thorough audits of user permissions and roles within Liferay is critical to minimize privilege escalation risks. Monitoring access logs for unusual preview page requests can help detect exploitation attempts. Finally, organizations should engage with Liferay support or security advisories to obtain official patches or guidance and apply them promptly.