First published: Wed Aug 02 2023(Updated: )
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
Credit: security@liferay.com security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Digital Experience Platform | =7.4-update81 | |
Liferay Digital Experience Platform | =7.4-update82 | |
Liferay Digital Experience Platform | =7.4-update83 | |
Liferay Digital Experience Platform | =7.4-update84 | |
Liferay Digital Experience Platform | =7.4-update85 | |
Liferay Liferay Portal | >=7.4.3.81<=7.4.3.85 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-3426 is a vulnerability in Liferay Portal and Liferay DXP that allows remote authenticated users to obtain a list of all organizations without proper permission checks.
CVE-2023-3426 has a severity value of 4.3, which is considered medium.
CVE-2023-3426 affects Liferay Portal versions 7.4.3.81 through 7.4.3.85, and Liferay DXP versions 7.4 update 81 through 85.
Remote authenticated users can exploit CVE-2023-3426 by accessing the organization selector and obtaining a list of all organizations.
Yes, upgrading to Liferay Portal version 7.4.3.86 or higher, or Liferay DXP version 7.4 update 86 or higher, will fix CVE-2023-3426.