Fluid Attacks Database

Description

Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.dxp.bom	>=7.4.143.u81 <=7.4.143.u85	-
maven	com.liferay:com.liferay.organizations.item.selector.web	>=0 <4.0.14	4.0.14

Aliases

1. CVE-2023-34262. NVD-2023-34263. OSV-2023-34264. GCVE-2023-3426

References

1. https://github.com/liferay/liferay-portal/commit/b410f40233394d1d3d1076189befd4b33ba9fb472. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.