CVE-2023-33948
Description
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal/DXP Dynamic Data Mapping module allows unauthorized file download from Document and Media via crafted URL.
Overview
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67 and Liferay DXP 7.4 update 67 lacks proper access control, allowing remote attackers to download arbitrary files from the Document and Media library. This occurs because the module does not restrict which files can be downloaded when a form is submitted via a crafted URL [1].
Exploitation
An attacker can exploit this vulnerability by constructing a specially crafted URL that triggers the download of any file stored in the Document and Media repository. No authentication is required, making the attack vector accessible to anyone with network access to the affected Liferay instance.
Impact
Successful exploitation enables an attacker to retrieve any file from the Document and Media library, including sensitive documents, potentially leading to data breaches and unauthorized disclosure of confidential information.
Mitigation
Liferay has acknowledged this vulnerability. Users should upgrade to patched versions (e.g., Liferay Portal 7.4.3.68+ or DXP 7.4 update 68+) once available. As a general precaution, restrict network access to Liferay forms and monitor for suspicious download requests.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.67, < 7.4.3.68 | 7.4.3.68 |
Affected products
4- osv-coords2 versions
>= 7.4-update67.0, <= 7.4-update67.0+ 1 more
- (no CPE)range: >= 7.4-update67.0, <= 7.4-update67.0
- (no CPE)range: >= 7.4.3.67, < 7.4.3.68
- Liferay/DXPv5Range: 7.4.13.u67
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w6f8-mxf5-4vf8ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-33948ghsaADVISORY
News mentions
0No linked articles in our index yet.