CVE-2023-33948

Name of the Vulnerable Software and Affected Versions Liferay Portal version 7.4.3.67 Liferay DXP 7.4 update 67

Description The issue allows remote attackers to download any file from Document and Media via a crafted URL, due to the Dynamic Data Mapping module not limiting Document and Media files which can be downloaded from a Form.

Recommendations For Liferay Portal version 7.4.3.67, consider restricting access to the Dynamic Data Mapping module until a fix is available. For Liferay DXP 7.4 update 67, restrict access to the Dynamic Data Mapping module to minimize the risk of exploitation.