CVE-2021-33323

HIGH7.5EPSS 0.42%

Liferay Portal and Liferay DXP autosaves form data for other users to see

Published: 5/24/2022Modified: 6/27/2025

Description

The Dynamic Data Mapping module in Dynamic Data Mapping Form Web before 3.0.23 in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

Affected packages (2)

Maven/com.liferay:com.liferay.dynamic.data.mapping.form.webfrom 0, < 3.0.23
Maven/com.liferay.portal:release.dxp.bom>= 7.1.0, < 7.1.10.fp19

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33323
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17049
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107