CVE-2023-3426

Published: Aug 2, 2023Modified: Jan 30, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Affected (6)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Version 7.4 update81
Liferay Digital Experience Platform	Version 7.4 update82
Liferay Digital Experience Platform	Version 7.4 update83
Liferay Digital Experience Platform	Version 7.4 update84
Liferay Digital Experience Platform	Version 7.4 update85
Liferay Liferay Portal	From 7.4.3.81 to 7.4.3.85

Related CWEs

CWE-425

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

Source: security@liferay.com

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.