Description

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946

Related Vulnerabilities

CVE-2020-2092 Vulnerability in maven package org.jenkins-ci.plugins:robot

CVE-2013-4590 Vulnerability in maven package org.apache.tomcat:jasper

CVE-2023-50765 Vulnerability in maven package org.jenkins-ci.plugins:scriptler

CVE-2020-2111 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2017-4971 Vulnerability in maven package org.springframework.webflow:spring-webflow

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory NVD-CWE-Other