Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.liferay.portal:release.portal.bom(Maven) | N/A | N/A | N/A |
| com.liferay.portal:release.portal.bom(Maven) | 7.4.0 | 7.4.2-ga3 | N/A |
| com.liferay.portal:release.dxp.bom(Maven) | 7.2.0 | 7.2.10.fp13 | N/A |
| com.liferay.portal:release.dxp.bom(Maven) | 7.3.0 | 7.3.10.fp2 | N/A |
| com.liferay:com.liferay.site.browser.web(Maven) | 0 | 6.0.5 | N/A |
| com.liferay.portal:com.liferay.portal.impl(Maven) | 0 | 7.7.9 | N/A |
CVSS Metrics
