GHSA-xph3-vjcq-g488
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xph3-vjcq-g488
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xph3-vjcq-g488/GHSA-xph3-vjcq-g488.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xph3-vjcq-g488
- Aliases
- Published
- 2023-08-02T12:30:15Z
- Modified
- 2025-08-08T21:57:06.092536Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions
- Details
-
The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
- Database specific
{ "nvd_published_at": "2023-08-02T10:15:09Z", "severity": "MODERATE", "cwe_ids": [ "CWE-425", "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2025-08-08T21:12:51Z" }- References
Affected packages
Maven / com.liferay:com.liferay.organizations.item.selector.web
Package
- Name
- com.liferay:com.liferay.organizations.item.selector.web
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay/com.liferay.organizations.item.selector.web
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.0.14
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
Maven / com.liferay.portal:release.dxp.bom
Package
- Name
- com.liferay.portal:release.dxp.bom
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay.portal/release.dxp.bom