GHSA-w6f8-mxf5-4vf8

Source

https://github.com/advisories/GHSA-w6f8-mxf5-4vf8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-w6f8-mxf5-4vf8/GHSA-w6f8-mxf5-4vf8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w6f8-mxf5-4vf8

Aliases

Published

2023-05-24T18:30:26Z

Modified

2023-12-06T01:03:03.243749Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Missing authorization in Liferay portal

Details

The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

Database specific

{
    "nvd_published_at": "2023-05-24T16:15:10Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T21:53:37Z"
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

GHSA-w6f8-mxf5-4vf8

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Affected ranges

Affected versions

7.*