CVE-2021-33320
MEDIUM4.3EPSS 0.39%Liferay Portal and Liferay DXP vulnerable to email spam via lack of flagging rate
發布日:2022/5/24修改日:2025/7/14
描述
The Flags module before version 5.0.11 in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails
受影響套件(2)
- Maven/com.liferay:com.liferay.flags.taglibfrom 0, < 5.0.11
- Maven/com.liferay.portal:release.dxp.bom>= 7.0.0, < 7.0.10.fp96
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
參考連結(4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33320
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://issues.liferay.com/browse/LPE-17007
- WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-33320-flagging-content-as-inappropriate-is-not-rate-limited?p_r_p_assetEntryId=121611464&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121611464%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse