CVE-2023-33948 Unauthorized access to Document and Media files via Forms

Description

The Dynamic Data Mapping module in Liferay Portal and Liferay DXP does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

Liferay DXP 7.4 update 67
Liferay Portal 7.4.3.67

Fixed Version(s)

Liferay DXP 7.4 update 68
Liferay Portal 7.4.3.68

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)