First published: Wed May 24 2023(Updated: )
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/com.liferay.portal:release.portal.bom | =7.4.3.67 | 7.4.3.68 |
Liferay Liferay Portal | =7.4.3.67 | |
Liferay Digital Experience Platform | =7.4-update67 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-33948 is high.
CVE-2023-33948 allows remote attackers to download any file from Document and Media via a crafted URL.
Liferay Portal 7.4.3.67 and Liferay DXP 7.4 update 67 are affected by CVE-2023-33948.
Update Liferay Portal to version 7.4.3.68 or later.
You can find more information about CVE-2023-33948 at the following references: [Link 1](https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948), [Link 2](https://nvd.nist.gov/vuln/detail/CVE-2023-33948), [Link 3](https://github.com/advisories/GHSA-w6f8-mxf5-4vf8).