CVE-2022-42129 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the Dynamic Data Mapping (DDM) module in Liferay Portal versions 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4 and 7.4 GA. This vulnerability allows remote authenticated users to access and view form entries by manipulating the `formInstanceRecordId` parameter. Essentially, the vulnerability arises because the application does not properly enforce access controls on the `formInstanceRecordId` parameter, enabling users with valid credentials to access form data that they should not be authorized to see. The vulnerability is classified under CWE-639, which relates to authorization bypass through improper validation of object references. The CVSS v3.1 base score is 4.3 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (authenticated users), no user interaction, and limited impact confined to confidentiality (partial data disclosure) without affecting integrity or availability. No known exploits in the wild have been reported, and no official patches or vendor advisories are linked in the provided data. The vulnerability affects a widely used enterprise portal platform, Liferay, which is often deployed in corporate intranets, customer portals, and government websites to manage dynamic forms and data collection.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized disclosure of sensitive form data. Since the vulnerability requires authenticated access, it primarily threatens insider users or compromised accounts. The exposure of form entries could lead to leakage of personally identifiable information (PII), business-sensitive data, or confidential customer information, potentially violating GDPR and other data protection regulations in Europe. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can damage organizational reputation, lead to regulatory fines, and erode customer trust. Sectors such as government agencies, healthcare, finance, and large enterprises that rely on Liferay for managing forms and data collection are particularly at risk. The medium severity rating indicates that while the vulnerability is not critical, it still warrants timely remediation to prevent data leaks. The lack of known exploits suggests limited active exploitation, but the ease of exploitation by authenticated users means that insider threat or credential compromise scenarios are the main concern.

1. Implement strict access control checks on the `formInstanceRecordId` parameter to ensure users can only access form entries they are authorized to view. 2. Review and harden authentication and session management mechanisms to reduce the risk of credential compromise, including enforcing multi-factor authentication (MFA) for all users with access to Liferay portals. 3. Conduct an audit of user permissions and roles within Liferay to minimize privileges, applying the principle of least privilege. 4. Monitor access logs for unusual or unauthorized access patterns to form entries, focusing on anomalous access to `formInstanceRecordId` values. 5. If possible, upgrade to a patched version of Liferay Portal or DXP once available; in the absence of official patches, consider applying custom access control filters or web application firewall (WAF) rules to restrict unauthorized access to form data endpoints. 6. Educate users about the risks of credential sharing and phishing attacks to reduce the risk of account compromise. 7. Regularly review and update data classification and handling policies to ensure sensitive form data is appropriately protected even if accessed.