CVE-2023-33947

LOW

Liferay Portal/DXP <7.4.3.60 - Info Disclosure

Title source: llm

Description

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947

Scores

CVSS v3 2.7

EPSS 0.0019

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

com.liferay.portal/release.portal.bom 7.4.3.4 - 7.4.3.61Maven

liferay/digital_experience_platform 7.4 update1 (49 CPE variants)

Published May 24, 2023

Tracked Since Feb 18, 2026