First published: Thu Feb 08 2024(Updated: )
In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.
Affected Software | Affected Version | How to fix |
---|---|---|
maven/com.liferay.portal:release.dxp.bom | >=7.3.0<7.3.10.u4 | 7.3.10.u4 |
maven/com.liferay.portal:release.dxp.bom | >=7.2.0<7.2.10.fp15 | 7.2.10.fp15 |
maven/com.liferay.portal:release.portal.bom | >=7.2.0<7.4.2 | 7.4.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.