CVE-2023-33948

Missing authorization in Liferay portal in maven/com.liferay.portal/release.portal.bom

Identifiers

GHSA-w6f8-mxf5-4vf8, CVE-2023-33948

Package Slug

maven/com.liferay.portal/release.portal.bom

Vulnerability

Missing authorization in Liferay portal

Description

The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

Affected Versions

Version 7.4.3.67

Solution

Upgrade to version 7.4.3.68 or above.

Last Modified

2023-05-25

source