CVE-2023-33946

LOW

Liferay Portal/DXP <7.4.3.49 - Info Disclosure

Title source: llm

Description

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33946

Scores

CVSS v3 2.7

EPSS 0.0019

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

com.liferay.portal/release.portal.bom 7.4.3.4 - 7.4.3.49Maven

liferay/digital_experience_platform 7.4 update1 (48 CPE variants)

liferay/liferay_portal 7.4.3.4 - 7.4.3.48

Published May 24, 2023

Tracked Since Feb 18, 2026