CVE-2023-3426

MEDIUM4.3EPSS 0.43%

Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions

Published: 8/2/2023Modified: 8/8/2025

Description

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Affected packages (3)

Bitnami/liferay>= 7.4-update81.0, <= 7.4-update81.0, >= 7.4-update82.0, <= 7.4-update82.0, >= 7.4-update83.0, <= 7.4-update83.0, >= 7.4-update84.0, <= 7.4-update84.0, >= 7.4-update85.0, <= 7.4-update85.0
Maven/com.liferay:com.liferay.organizations.item.selector.webfrom 0, < 4.0.14
Maven/com.liferay.portal:release.dxp.bom>= 7.4.143.u81, <= 7.4.143.u85

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3426
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://github.com/liferay/liferay-portal/commit/b410f40233394d1d3d1076189befd4b33ba9fb47
WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426