GHSA-qwj8-qgpr-8crm

Suggest an improvement
Source
https://github.com/advisories/GHSA-qwj8-qgpr-8crm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qwj8-qgpr-8crm/GHSA-qwj8-qgpr-8crm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qwj8-qgpr-8crm
Aliases
Published
2024-02-08T06:30:23Z
Modified
2024-02-16T08:18:37.093535Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Liferay Portal vulnerable to user impersonation
Details

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the doAsUserId URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name
com.liferay.portal:release.portal.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.4.2

Affected versions

7.*

7.2.0
7.2.1
7.2.1-1
7.3.0
7.3.0-1
7.3.1
7.3.1-1
7.3.2
7.3.2-1
7.3.3
7.3.3-1
7.3.4
7.3.5
7.3.6
7.3.7
7.4.0
7.4.1
7.4.1-1

Maven / com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.2.10.fp15

Affected versions

7.*

7.2.1
7.2.10
7.2.10.fp1
7.2.10.fp1-1
7.2.10.fp2
7.2.10.fp3
7.2.10.fp4
7.2.10.fp5
7.2.10.fp6
7.2.10.fp7
7.2.10.fp8
7.2.10.fp9
7.2.10.fp10
7.2.10.fp11
7.2.10.fp12
7.2.10.fp13
7.2.10.fp14

Maven / com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.3.0
Fixed
7.3.10.u4

Affected versions

7.*

7.3.10
7.3.10.ep3
7.3.10.ep4
7.3.10.ep5
7.3.10.fp1
7.3.10.fp2