CVE-2021-33338

HIGH7.5EPSS 0.11%

Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs

發布日:2022/5/24修改日:2025/5/28

描述

The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.

受影響套件(2)

Maven/com.liferay.portal:release.dxp.bom>= 7.1.0, < 7.1.10.fp19
Maven/com.liferay.portal:release.portal.bom>= 7.1.0, < 7.3.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33338
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17030
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276