CVE-2021-33323

HIGH7.5EPSS 0.42%

Liferay Portal and Liferay DXP autosaves form data for other users to see

發布日:2022/5/24修改日:2025/6/27

描述

The Dynamic Data Mapping module in Dynamic Data Mapping Form Web before 3.0.23 in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

受影響套件(2)

Maven/com.liferay:com.liferay.dynamic.data.mapping.form.webfrom 0, < 3.0.23
Maven/com.liferay.portal:release.dxp.bom>= 7.1.0, < 7.1.10.fp19

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33323
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17049
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107