Vulnerability Description
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Digital Experience Platform | 7.4 |
| Liferay | Liferay Portal | >= 7.4.3.4, <= 7.4.3.48 |
Related Weaknesses (CWE)
References
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jektVendor Advisory
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jektVendor Advisory
FAQ
What is CVE-2023-33946?
CVE-2023-33946 is a vulnerability with a CVSS score of 2.7 (LOW). The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated user...
How severe is CVE-2023-33946?
CVE-2023-33946 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-33946?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Digital Experience Platform, Liferay Liferay Portal.