CVE-2021-33330

Published: Aug 3, 2021Modified: May 13, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Affected (10)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Version 7.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_1
Liferay Digital Experience Platform	Version 7.2 fix_pack_2
Liferay Digital Experience Platform	Version 7.2 fix_pack_3
Liferay Digital Experience Platform	Version 7.2 fix_pack_4
Liferay Digital Experience Platform	Version 7.2 fix_pack_5
Liferay Digital Experience Platform	Version 7.2 fix_pack_6
Liferay Digital Experience Platform	Version 7.2 fix_pack_7
Liferay Digital Experience Platform	Version 7.2 fix_pack_8
Liferay Liferay Portal	From 7.2.0 to 7.3.3

References (4)

https://issues.liferay.com/browse/LPE-17127

Source: cve@mitre.org

PatchVendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720

Source: cve@mitre.org

Release NotesVendor Advisory

https://issues.liferay.com/browse/LPE-17127

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.