CVE-2022-26595 Unauthorized access to site/group list

Description

Liferay Portal 7.3.7 through 7.4.1 allows remote authenticated users to view sites/groups via the user's site membership assignment UI. Because user permission does not properly check when accessing a list of sites/groups.

Severity

4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay Portal 7.3.7
  • Liferay Portal 7.4.0 - 7.4.1

Fixed Version(s)

Publication date: Mon, 24 Jan 2022 16:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.