CVE-2023-3426 MEDIUM

CVE-2023-3426

Vendor Liferay
Product DXP
Weakness CWE-425 · Forced browsing
Published August 2, 2023
Last update October 11, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Key dates

02Disclosure timeline

August 2, 2023 CVE published
October 11, 2024 Record updated