CVE-2023-33947

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching for the object definition.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
LiferayCNA
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
liferaydigital_experience_platform
7.4
liferaydigital_experience_platform
7.4:update1
liferaydigital_experience_platform
7.4:update21
liferaydigital_experience_platform
7.4:update34
liferaydigital_experience_platform
7.4:update36
liferaydigital_experience_platform
7.4:update41
liferaydigital_experience_platform
7.4:update50
liferaydigital_experience_platform
7.4:update52
liferayliferay_portal
7.4.3.4 ≤
𝑥
≤ 7.4.3.60
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33947