4Rth4S

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.109 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay Portal 7.4 GA through update 92 **Description** The software does not restrict access to APIs before a user has verified their email address. This allows remote users to access and edit content via the API. **Recommendations** Update Liferay Portal to a version after update 92. Update Liferay DXP to a version after 2023.Q3.4. Update Liferay Portal version 7.3 to a version after update 35. Update Liferay Portal version 7.4 to a version after 7.4.3.109.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal 7.4 GA through update 92 **Description** The software does not restrict access to APIs before a user has changed their initial password, potentially allowing remote users to access and edit content via the API. **Recommendations** Update Liferay Portal versions prior to 7.4.3.111. Update Liferay DXP versions prior to 2023.Q4.0. Update Liferay Portal versions prior to 7.4 GA update 92. Update Liferay Portal versions prior to 7.3 GA update 35.

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.124 Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 Liferay DXP versions 7.4 update 81 through update 85 Description: The organization selector does not verify user permissions, potentially allowing remote authenticated users to retrieve a list of all organizations. Recommendations: Update Liferay Portal to a version later than 7.4.3.124. Update Liferay DXP to a version later than 2024.Q1.12. Update Liferay DXP to a version later than 7.4 update 85.

**Name of the Vulnerable Software and Affected Versions** Axe Credit Portal versions 3.0 and later **Description** The issue allows authenticated attackers to execute unintended queries and disclose sensitive information from database tables via crafted requests, specifically through the Save Favorite Search function. **Recommendations** For Axe Credit Portal versions 3.0 and later, update to a version that includes a fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.81 through 7.4.3.85 Liferay DXP 7.4 update 81 through 85 **Description** The organization selector does not check user permission, allowing remote authenticated users to obtain a list of all organizations. **Recommendations** For Liferay Portal versions 7.4.3.81 through 7.4.3.85, consider restricting access to the organization selector until a patch is available. For Liferay DXP 7.4 update 81 through 85, consider restricting access to the organization selector until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ServiceDesk Plus versions prior to 14202 Zoho ManageEngine ServiceDesk Plus MSP versions prior to 14300 Zoho ManageEngine SupportCenter Plus versions prior to 14300 **Description** The issue allows unprivileged users to access the Reminders of a release ticket and make modifications due to a privilege escalation vulnerability in the Release module. **Recommendations** For Zoho ManageEngine ServiceDesk Plus versions prior to 14202, update to version 14202 or later. For Zoho ManageEngine ServiceDesk Plus MSP versions prior to 14300, update to version 14300 or later. For Zoho ManageEngine SupportCenter Plus versions prior to 14300, update to version 14300 or later.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.3.5 through 7.4.3.36 Liferay DXP 7.4 update 1 through 36 **Description** The issue concerns the Friendly Url module, which does not properly check user permissions. This allows remote attackers to obtain the history of all friendly URLs assigned to a page. **Recommendations** For Liferay Portal versions 7.4.3.5 through 7.4.3.36, consider restricting access to the Friendly Url module until a patch is available. For Liferay DXP 7.4 update 1 through 36, consider disabling the Friendly Url module as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.3.3 through 7.4.3.34 Liferay DXP versions 7.3 before update 10 Liferay DXP versions 7.4 before update 35 **Description** The Layout module in Liferay Portal does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation. **Recommendations** For Liferay Portal versions 7.3.3 through 7.4.3.34, update to a version that includes the fix for this issue. For Liferay DXP versions 7.3 before update 10, apply update 10 or later to resolve the issue. For Liferay DXP versions 7.4 before update 35, apply update 35 or later to resolve the issue. As a temporary workaround, consider restricting access to the Layout module until a patch is available.