CVE-2023-33948 Unauthorized access to Document and Media files via Forms

Description

The Dynamic Data Mapping module in Liferay Portal and Liferay DXP does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay DXP 7.4 update 67
  • Liferay Portal 7.4.3.67

Fixed Version(s)

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.