CVE-2023-3426 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.4.143.u81 <=7.4.143.u85

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00248 pctl0.47897

Details

Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Metadata

Created: 2023-08-02T12:30:15Z
Modified: 2025-08-08T21:12:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xph3-vjcq-g488/GHSA-xph3-vjcq-g488.json
CWE IDs: ["CWE-425", "CWE-862"]
Alternative ID: GHSA-xph3-vjcq-g488
Finding: F039
Auto approve: 1