Privilege Escalation

com.liferay.portal is vulnerable to privilege escalation. Remote authenticated attackers are able to gain access to view sensitive user information by accessing a list of sites and groups via the site membership assignment UI, due to improper validations of user permissions...

Code injection

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI...