Description
In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site membership can potentially view, add or edit content on the site.
Remediation
References
Related Vulnerabilities
PHP Resource Management Errors Vulnerability (CVE-2011-1148)
e107 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3731)
Python Uncontrolled Resource Consumption Vulnerability (CVE-2021-3737)
WordPress Plugin Cart66 Lite::WordPress Ecommerce Multiple Vulnerabilities (1.5.1.14)
Oracle Database Server CVE-2010-0854 Vulnerability (CVE-2010-0854)