Description
The Dynamic Data Mapping module in Liferay Portal and Liferay DXP does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
Severity
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Version(s)
- Liferay DXP 7.4 update 67
- Liferay Portal 7.4.3.67
Fixed Version(s)
- Liferay DXP 7.4 update 68
- Liferay Portal 7.4.3.68
Publication date: Wed, 24 May 2023 07:00:00 +0000