CVE-2021-33331

MEDIUM6.1EPSS 0.36%

Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External URLs

發布日:2022/5/24修改日:2025/5/28

描述

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.

受影響套件(2)

Maven/com.liferay.portal:release.dxp.bom>= 7.0.10.fp0, < 7.0.10.fp94
Maven/com.liferay.portal:release.portal.bom>= 7.0.0, <= 7.3.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33331
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17022
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627