Description
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
http://liferay.com
Scores
CVSS v3
4.3
EPSS
0.0011
EPSS Percentile
29.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-276
Status
published
Products (9)
com.liferay/com.liferay.site.browser.web
0 - 6.0.5Maven
com.liferay.portal/com.liferay.portal.impl
0 - 7.7.9Maven
com.liferay.portal/release.dxp.bom
7.2.0 - 7.2.10.fp13Maven
com.liferay.portal/release.portal.bom
Maven
liferay/digital_experience_platform
7.2 fix_pack_13
liferay/digital_experience_platform
7.3 fix_pack_2
liferay/liferay_portal
7.3.7
liferay/liferay_portal
7.4.0
liferay/liferay_portal
7.4.1
Published
Apr 19, 2022
Tracked Since
Feb 18, 2026