Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NmY4LW14ZjUtNHZmOM4AAzdU
Missing authorization in Liferay portal
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
Permalink: https://github.com/advisories/GHSA-w6f8-mxf5-4vf8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NmY4LW14ZjUtNHZmOM4AAzdU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-w6f8-mxf5-4vf8, CVE-2023-33948
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33948
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948
- https://github.com/advisories/GHSA-w6f8-mxf5-4vf8
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: = 7.4.3.67
Fixed in: 7.4.3.68
All affected versions:
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2