CVE-2023-3426 — Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permiss

Description

The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

How to fix CVE-2023-3426

To remediate CVE-2023-3426, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 4.0.14 or later
—no fix listed

Is CVE-2023-3426 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 7.4-update81.0, <= 7.4-update81.0, >= 7.4-update82.0, <= 7.4-update82.0, >= 7.4-update83.0, <= 7.4-update83.0, >= 7.4-update84.0, <= 7.4-update84.0, >= 7.4-update85.0, <= 7.4-update85.0
from 0, < 4.0.14
>= 7.4.143.u81, <= 7.4.143.u85

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-3426
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/b410f40233394d1d3d1076189befd4b33ba9fb47
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426