CVE-2021-33323 – com.liferay:com.liferay.dynamic.data.mapping.form.web

Package

Manager: maven
Name: com.liferay:com.liferay.dynamic.data.mapping.form.web
Vulnerable Version: >=0 <3.0.23

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00417 pctl0.60946

Details

Liferay Portal and Liferay DXP autosaves form data for other users to see The Dynamic Data Mapping module in Dynamic Data Mapping Form Web before 3.0.23 in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

Metadata

Created: 2022-05-24T19:09:46Z
Modified: 2025-06-27T21:11:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fxpf-jr2q-vpvv/GHSA-fxpf-jr2q-vpvv.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-fxpf-jr2q-vpvv
Finding: F020
Auto approve: 1