CVE-2023-3426

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.81 through 7.4.3.85 Liferay DXP 7.4 update 81 through 85

Description The organization selector does not check user permission, allowing remote authenticated users to obtain a list of all organizations.

Recommendations For Liferay Portal versions 7.4.3.81 through 7.4.3.85, consider restricting access to the organization selector until a patch is available. For Liferay DXP 7.4 update 81 through 85, consider restricting access to the organization selector until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-425

Related Identifiers

BIT-LIFERAY-2023-3426

CVE-2023-3426

GHSA-XPH3-VJCQ-G488

Affected Products

Liferay Dxp

Liferay Portal

CVE-2023-3426

Weakness Enumeration

Related Identifiers

Affected Products

References · 9