CVE-2023-33947 Unauthorized access to object definition via search

Description

The Object module in Liferay Portal and Liferay DXP does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

Severity

2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay DXP 7.4 before update 61
  • Liferay Portal 7.4.3.4 - 7.4.3.60

Fixed Version(s)

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.