CVE-2023-33946 Unauthorized access to objects via OAuth 2 scope

Description

The Object module in Liferay Portal and Liferay DXP does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

Severity

2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay DXP 7.4 before update 49
  • Liferay Portal 7.4.3.4 - 7.4.3.48

Fixed Version(s)

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.