Description

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

Remediation

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947

Related Vulnerabilities

CVE-2019-1003085 Vulnerability in maven package org.jenkins-ci.plugins:zephyr-enterprise-test-management

CVE-2020-1714 Vulnerability in maven package org.keycloak:keycloak-common

CVE-2016-3087 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2011-3375 Vulnerability in maven package org.apache.tomcat:coyote

CVE-2022-34797 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory NVD-CWE-Other