CVE-2023-3426 – com.liferay:com.liferay.organizations.item.selector.web

Package

Manager: maven
Name: com.liferay:com.liferay.organizations.item.selector.web
Vulnerable Version: >=0 <4.0.14

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00248 pctl0.4791

Details

Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Metadata

Created: 2023-08-02T12:30:15Z
Modified: 2025-08-08T21:12:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xph3-vjcq-g488/GHSA-xph3-vjcq-g488.json
CWE IDs: ["CWE-425", "CWE-862"]
Alternative ID: GHSA-xph3-vjcq-g488
Finding: F039
Auto approve: 1