CVE-2023-3426

Summary

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Affected Software

VendorProductVersion RangeStatus
LiferayDXP7.4.13.u81 <= 7.4.13.u85affected
LiferayPortal7.4.3.81 <= 7.4.3.85affected

Weaknesses

  • CWE-425: CWE-425 Direct Request ('Forced Browsing')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References