CVE-2023-33948Missing Authorization in DXP

CWE-862Missing Authorization4 documents4 sources
Severity
7.5HIGHNVD
CNA5.3
EPSS
0.3%
top 43.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay DXPLiferay PortalLiferay Digital Experience Platform+1 more
Timeline
PublishedMay 24

Description

The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5liferay/portal7.4.3.67
CVEListV5liferay/dxp7.4.13.u67

🔴Vulnerability Details

3
CVEList
CVE-2023-33948: The Dynamic Data Mapping module in Liferay Portal 72023-05-24
OSV
Missing authorization in Liferay portal2023-05-24
GHSA
Missing authorization in Liferay portal2023-05-24
CVE-2023-33948 — Missing Authorization in Liferay DXP | cvebase