The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.

Affected Packages

Maven com.liferay.portal:release.portal.bom

Affected versions: 7.4.3.67 (fixed in 7.4.3.68)

Related CVEs

CVE-2023-33948

Key Information

GHSA ID

GHSA-w6f8-mxf5-4vf8

Published

May 24, 2023 6:30 PM

Last Modified

June 3, 2023 12:10 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.liferay.portal:release.portal.bom

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.