Description
Liferay Portal and Liferay DXP does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.
Severity
6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay DXP 2023.Q3.1 through 2023.Q3.4
- Liferay DXP 7.4 GA through Update 92
- Liferay DXP 7.3 GA through Update 35
- Liferay DXP 7.2
- Liferay DXP 7.1
- Liferay DXP 7.0
- Liferay Portal 6.2 EE
- Older, unsupported versions are also affected
Fixed Version(s)
- Liferay Portal 7.4.3.110
- Liferay DXP 2024.Q1.1
- Liferay DXP 2023.Q4.0
- Liferay DXP 2023.Q3.5
- Liferay DXP 7.3 Update 36
Acknowledgments
This issue was reported by 4rth4s
Publication date: Tue, 17 Sep 2024 13:57:00 +0000