Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02eHhjLTRqYzQtN2p2M84AArFR
Exposure of Resource to Wrong Sphere in Liferay Portal
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
Permalink: https://github.com/advisories/GHSA-6xxc-4jc4-7jv3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02eHhjLTRqYzQtN2p2M84AArFR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-6xxc-4jc4-7jv3, CVE-2021-33330
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33330
- https://issues.liferay.com/browse/LPE-17127
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720
- https://github.com/advisories/GHSA-6xxc-4jc4-7jv3
Affected Packages
maven:com.liferay.portal:release.portal.bom
Dependent packages: 5Dependent repositories: 33
Downloads:
Affected Version Ranges: >= 7.2.0, < 7.3.3
Fixed in: 7.3.3
All affected versions: 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2
All unaffected versions: 7.0.6, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.0, 7.4.1, 7.4.2