Main Vulnerability Database Vulnerabilities #VU76608

#VU76608 Information disclosure in Liferay Enterprise Portal and Liferay DXP - CVE-2023-33948

Published: May 29, 2023

Vulnerability identifier: #VU76608

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-33948

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Liferay Enterprise Portal
Liferay DXP

Software vendor:
Liferay

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Dynamic Data Mapping module does not limit Document and Media files which can be downloaded from a Form. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install updates from vendor's website.

External links

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948