CVE-2023-3426

MEDIUM

Liferay Digital Experience Platform < 7.4.3.85 - Missing Authorization

Title source: rule

Description

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

Scores

CVSS v3 4.3

EPSS 0.0040

EPSS Percentile 61.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862 CWE-425

Status published

Products (4)

com.liferay/com.liferay.organizations.item.selector.web 0 - 4.0.14Maven

com.liferay.portal/release.dxp.bom 7.4.143.u81Maven

liferay/digital_experience_platform 7.4 update81 (5 CPE variants)

liferay/liferay_portal 7.4.3.81 - 7.4.3.85

Published Aug 02, 2023

Tracked Since Feb 18, 2026