CVE-2021-33330

MEDIUM4.3EPSS 0.21%

Exposure of Resource to Wrong Sphere in Liferay Portal

Published: 5/24/2022Modified: 5/14/2025

Description

Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Affected packages (1)

Maven/com.liferay.portal:release.portal.bom>= 7.2.0, < 7.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33330
WEBhttps://issues.liferay.com/browse/LPE-17127
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720