Vulnerability Details : CVE-2021-29052
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.
Threat overview for CVE-2021-29052
Top countries where our scanners detected CVE-2021-29052
Top open port discovered on systems with this issue 80
IPs affected by CVE-2021-29052 22
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2021-29052!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-29052
Probability of exploitation activity in the next 30 days: 0.08%
CVSS scores for CVE-2021-29052
|Base Score||Base Severity||CVSS Vector||Exploitability Score||Impact Score||Source|
CWE ids for CVE-2021-29052
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: firstname.lastname@example.org (Primary)
References for CVE-2021-29052
Digital Experience Software Tailored to Your Needs | LiferayVendor Advisory
CVE-2021-29052 Unauthorized users can view DDMStructuresVendor Advisory