The Object module in Liferay Portal and Liferay DXP does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope administration page.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.Read More