CVE-2023-3426

MEDIUM

Liferay Portal 7.4.3.81-7.4.3.85 and DXP 7.4 update 81-85 - Authenticated Missing Authorization in Organization Selector

Title source: llm

Description

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426

Scores

CVSS v3 4.3

EPSS 0.0043

EPSS Percentile 34.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862 CWE-425

Status published

Products (4)

com.liferay/com.liferay.organizations.item.selector.web 0 - 4.0.14Maven

com.liferay.portal/release.dxp.bom 7.4.143.u81Maven

liferay/digital_experience_platform 7.4 update81 (5 CPE variants)

liferay/liferay_portal 7.4.3.81 - 7.4.3.85

Published Aug 02, 2023

Tracked Since Feb 18, 2026