Moderate severityNVD Advisory· Published Aug 2, 2023· Updated Oct 11, 2024
CVE-2023-3426
CVE-2023-3426
Description
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.organizations.item.selector.webMaven | < 4.0.14 | 4.0.14 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.143.u81, <= 7.4.143.u85 | — |
Affected products
2- Liferay/DXPv5Range: 7.4.13.u81
Patches
1b410f4023339LPS-188789 Uses service impl method to filter organizations by permissions
2 files changed · +16 −17
modules/apps/organizations/organizations-item-selector-web/src/main/java/com/liferay/organizations/item/selector/web/internal/display/context/OrganizationItemSelectorViewDisplayContext.java+12 −12 modified@@ -20,9 +20,8 @@ import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.model.Organization; import com.liferay.portal.kernel.model.OrganizationConstants; -import com.liferay.portal.kernel.search.SortFactoryUtil; import com.liferay.portal.kernel.security.auth.CompanyThreadLocal; -import com.liferay.portal.kernel.service.OrganizationLocalService; +import com.liferay.portal.kernel.service.OrganizationService; import com.liferay.portal.kernel.util.JavaConstants; import com.liferay.portal.kernel.util.ParamUtil; import com.liferay.portlet.usersadmin.search.OrganizationSearch; @@ -42,12 +41,11 @@ public class OrganizationItemSelectorViewDisplayContext { public OrganizationItemSelectorViewDisplayContext( OrganizationItemSelectorCriterion organizationItemSelectorCriterion, - OrganizationLocalService organizationLocalService, - UsersAdmin usersAdmin, HttpServletRequest httpServletRequest, - PortletURL portletURL) { + OrganizationService organizationService, UsersAdmin usersAdmin, + HttpServletRequest httpServletRequest, PortletURL portletURL) { _organizationItemSelectorCriterion = organizationItemSelectorCriterion; - _organizationLocalService = organizationLocalService; + _organizationService = organizationService; _usersAdmin = usersAdmin; _portletURL = portletURL; @@ -87,14 +85,16 @@ public SearchContainer<Organization> getSearchContainer() (OrganizationSearchTerms)_searchContainer.getSearchTerms(); _searchContainer.setResultsAndTotal( - _organizationLocalService.searchOrganizations( + () -> _organizationService.getOrganizations( CompanyThreadLocal.getCompanyId(), OrganizationConstants.ANY_PARENT_ORGANIZATION_ID, - organizationSearchTerms.getKeywords(), null, + organizationSearchTerms.getKeywords(), _searchContainer.getStart(), _searchContainer.getEnd(), - SortFactoryUtil.getSort( - Organization.class, _searchContainer.getOrderByCol(), - _searchContainer.getOrderByType()))); + _searchContainer.getOrderByComparator()), + _organizationService.getOrganizationsCount( + CompanyThreadLocal.getCompanyId(), + OrganizationConstants.ANY_PARENT_ORGANIZATION_ID, + organizationSearchTerms.getKeywords())); _searchContainer.setRowChecker( new OrganizationItemSelectorChecker( @@ -107,7 +107,7 @@ public SearchContainer<Organization> getSearchContainer() private final OrganizationItemSelectorCriterion _organizationItemSelectorCriterion; - private final OrganizationLocalService _organizationLocalService; + private final OrganizationService _organizationService; private final PortletURL _portletURL; private final RenderRequest _renderRequest; private final RenderResponse _renderResponse;
modules/apps/organizations/organizations-item-selector-web/src/main/java/com/liferay/organizations/item/selector/web/internal/OrganizationItemSelectorView.java+4 −5 modified@@ -21,7 +21,7 @@ import com.liferay.organizations.item.selector.OrganizationItemSelectorCriterion; import com.liferay.organizations.item.selector.web.internal.display.context.OrganizationItemSelectorViewDisplayContext; import com.liferay.portal.kernel.language.Language; -import com.liferay.portal.kernel.service.OrganizationLocalService; +import com.liferay.portal.kernel.service.OrganizationService; import com.liferay.portal.kernel.util.Portal; import com.liferay.users.admin.kernel.util.UsersAdmin; @@ -79,9 +79,8 @@ public void renderHTML( OrganizationItemSelectorViewDisplayContext organizationItemSelectorViewDisplayContext = new OrganizationItemSelectorViewDisplayContext( - organizationItemSelectorCriterion, - _organizationLocalService, _usersAdmin, httpServletRequest, - portletURL); + organizationItemSelectorCriterion, _organizationService, + _usersAdmin, httpServletRequest, portletURL); _itemSelectorViewDescriptorRenderer.renderHTML( httpServletRequest, servletResponse, @@ -104,7 +103,7 @@ public void renderHTML( private Language _language; @Reference - private OrganizationLocalService _organizationLocalService; + private OrganizationService _organizationService; @Reference private Portal _portal;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-xph3-vjcq-g488ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-3426ghsaADVISORY
- github.com/liferay/liferay-portal/commit/b410f40233394d1d3d1076189befd4b33ba9fb47ghsaWEB
News mentions
0No linked articles in our index yet.