CVE-2023-33947: CVE-2023-33947 Unauthorized access to object definition via search - Liferay

This website uses cookies to ensure you get the best experience. Learn More.

Accept

• Ask
• Blogs
• Download
• Feedback
• Help
• Learn
• Projects
• /dev/24
• Log In

Known Vulnerabilities

• Overview
• Reporting Security Issues
• Known Vulnerabilities
• Hall of Fame

Releases

• Liferay Portal 7.4

• Liferay Portal 7.3

• Liferay Portal 7.2

• Liferay Portal 7.1

• Liferay Portal 7.0

• Liferay Portal 6.2 CE

• Liferay Faces

• Liferay DXP 7.4

• Liferay DXP 7.3

• Liferay DXP 7.2

• LIferay DXP 7.1

• LIferay DXP 7.0

CVE-2023-33947 Unauthorized access to object definition via search

Description

The Object module in Liferay Portal and Liferay DXP does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

Severity

2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

• Liferay DXP 7.4 before update 61
• Liferay Portal 7.4.3.4 - 7.4.3.60

Fixed Version(s)

• Liferay DXP 7.4 update 61
• Liferay Portal 7.4.3.61

Publication date: Wed, 24 May 2023 07:00:00 +0000

Security advisories for Liferay’s enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.