CVE-2022-45320 — Privilege escalation in Liferay Portal

Description

Liferay Portal before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16 allow remote authenticated users to become the owner of a wiki page by editing the wiki page.

How to fix CVE-2022-45320

To remediate CVE-2022-45320, upgrade the affected package to a fixed version below.

Maven/com.liferay.portal:release.portal.bom—upgrade to 7.4.3.16 or later

Is CVE-2022-45320 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.4.3.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-45320
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/releases/tag/7.4.3.16-ga16
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-45320