First published: Wed May 24 2023(Updated: )
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.4-update34 | |
Liferay Digital Experience Platform | =7.4-update1 | |
Liferay Digital Experience Platform | =7.4 | |
Liferay Digital Experience Platform | =7.4-update36 | |
Liferay Digital Experience Platform | =7.4-update41 | |
Liferay Digital Experience Platform | =7.4-update52 | |
Liferay Digital Experience Platform | =7.4-update50 | |
Liferay Digital Experience Platform | =7.4-update21 | |
Liferay Liferay Portal | >=7.4.3.4<=7.4.3.60 | |
maven/com.liferay.portal:release.portal.bom | >=7.4.3.4<7.4.3.61 | 7.4.3.61 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-33947 is a vulnerability in Liferay Portal and Liferay DXP that allows remote authenticated users in one virtual instance to view object definition from a second virtual instance.
CVE-2023-33947 has a severity level of medium.
CVE-2023-33947 affects Liferay Portal versions 7.4.3.4 through 7.4.3.60 and Liferay DXP versions 7.4 before update 61.
Remote authenticated users can exploit CVE-2023-33947 by searching for object definitions and accessing them from a different virtual instance.
Yes, a fix is available for CVE-2023-33947 in Liferay DXP update 61 and Liferay Portal 7.4.3.61.