CVE-2023-3426 — Forced Browsing in DXP

CWE-425 — Forced Browsing CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 44.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal Liferay Portal +1 more

Timeline

PublishedAug 2

Description

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5liferay/portal7.4.3.81 — 7.4.3.85

▶NVDliferay/liferay_portal7.4.3.81 — 7.4.3.85

▶CVEListV5liferay/dxp7.4.13.u81 — 7.4.13.u85

▶NVDliferay/digital_experience_platform7.4

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions↗2023-08-02

▶

CVEList

CVE-2023-3426: The organization selector in Liferay Portal 7↗2023-08-02

▶

GHSA

Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions↗2023-08-02

▶