CVE-2022-42127 is a medium-severity vulnerability affecting the Friendly URL module in Liferay Portal versions 7.4.3.5 through 7.4.3.36 and Liferay DXP 7.4 update 1 through 36. The vulnerability arises due to improper permission checks within the module, which allows remote attackers to access the history of all friendly URLs assigned to a page without requiring authentication or user interaction. Friendly URLs are human-readable web addresses that map to specific pages within the portal, and their history can reveal information about page restructuring, content changes, or internal site organization. The vulnerability is classified under CWE-276 (Incorrect Default Permissions), indicating a failure to enforce appropriate access controls. The CVSS 3.1 base score is 5.3 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impact limited to confidentiality (C:L) without affecting integrity or availability. No known exploits have been reported in the wild, and no patches or vendor advisories are linked in the provided data. This vulnerability does not allow modification or disruption of services but can lead to information disclosure that may aid attackers in reconnaissance or further attacks.

For European organizations using affected versions of Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized information disclosure. The exposure of friendly URL history could reveal internal site structures, content changes, or sensitive navigation paths that might be leveraged by attackers for targeted phishing, social engineering, or to identify weak points in web applications. While the direct impact on confidentiality is limited, the information gained could facilitate more sophisticated attacks, especially against organizations with sensitive or regulated content. Since Liferay is widely used by enterprises, government agencies, and public sector organizations in Europe for content management and intranet portals, the risk is non-negligible. However, the lack of impact on integrity and availability reduces the immediate operational risk. The vulnerability's ease of exploitation (no authentication or user interaction required) increases its threat potential, particularly in environments exposed to the internet.

European organizations should prioritize upgrading to Liferay Portal and Liferay DXP versions beyond 7.4.3.36 and update 36 respectively, where this vulnerability is addressed. In the absence of official patches, administrators should implement strict access controls at the web server or application firewall level to restrict access to the Friendly URL history endpoints. Monitoring and logging access to these URLs can help detect unauthorized attempts. Additionally, organizations should review and tighten permission settings within Liferay to ensure that sensitive modules and endpoints are not publicly accessible. Employing network segmentation to isolate management interfaces and applying web application firewalls (WAFs) with custom rules to block suspicious requests targeting friendly URL history can further reduce risk. Regular security assessments and penetration testing focusing on information disclosure vectors are recommended to identify residual exposure.