Headline
CVE-2023-33946: CVE-2023-33946 Unauthorized access to objects via OAuth 2 scope - Liferay
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
This website uses cookies to ensure you get the best experience. Learn More.
Accept
- Ask
- Blogs
- Download
- Feedback
- Help
- Learn
- Projects
- /dev/24
- Log In
Known Vulnerabilities
- Overview
- Reporting Security Issues
- Known Vulnerabilities
- Hall of Fame
Releases
Liferay Portal 7.4
Liferay Portal 7.3
Liferay Portal 7.2
Liferay Portal 7.1
Liferay Portal 7.0
Liferay Portal 6.2 CE
Liferay Faces
Liferay DXP 7.4
Liferay DXP 7.3
Liferay DXP 7.2
LIferay DXP 7.1
LIferay DXP 7.0
CVE-2023-33946 Unauthorized access to objects via OAuth 2 scope
Description
The Object module in Liferay Portal and Liferay DXP does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
Severity
2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
Affected Version(s)
- Liferay DXP 7.4 before update 49
- Liferay Portal 7.4.3.4 - 7.4.3.48
Fixed Version(s)
- Liferay DXP 7.4 update 49
- Liferay Portal 7.4.3.49
Publication date: Wed, 24 May 2023 07:00:00 +0000
Security advisories for Liferay’s enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.
Related news
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.