Lucene search

GoogleOSV:BIT-LIFERAY-2023-3426

HistoryJan 31, 2024 - 3:17 p.m.

BIT-liferay-2023-3426

2024-01-3115:17:10

Google

osv.dev

liferay portal

dxp

organization

selector

vulnerability

remote authenticated users

user permission

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

21.8%

JSON

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

CPENameOperatorVersion
liferayle7.4-update82.0
liferayge7.4-update85.0
liferayge7.4-update81.0
liferayge7.4-update84.0
liferayge7.4-update83.0
liferayge7.4-update82.0
liferayle7.4-update81.0
liferayle7.4-update84.0
liferayle7.4-update83.0
liferayle7.4-update85.0

Name	Operator	Version
liferay	le	7.4-update82.0
liferay	ge	7.4-update85.0
liferay	ge	7.4-update81.0
liferay	ge	7.4-update84.0
liferay	ge	7.4-update83.0
liferay	ge	7.4-update82.0
liferay	le	7.4-update81.0
liferay	le	7.4-update84.0
liferay	le	7.4-update83.0
liferay	le	7.4-update85.0

References

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

21.8%

JSON

Related for OSV:BIT-LIFERAY-2023-3426