First published: Wed May 24 2023(Updated: )
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
Credit: security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.4-update34 | |
Liferay Digital Experience Platform | =7.4-update1 | |
Liferay Digital Experience Platform | =7.4 | |
Liferay Digital Experience Platform | =7.4-update36 | |
Liferay Liferay Portal | >=7.4.3.4<=7.4.3.48 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-33946 is medium.
Liferay Portal versions 7.4.3.4 through 7.4.3.48 are affected by CVE-2023-33946.
CVE-2023-33946 allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration.
To fix CVE-2023-33946, update to Liferay Portal version 7.4.3.49 or later.
You can find more information about CVE-2023-33946 [here](https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946).