CVE-2021-29050 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.2.0 <7.2.10.fp11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00303 pctl0.531

Details

Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery in Terms of Use Page Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in the implementation for the portal services package before 5.25.0 from Liferay Portal (before 7.3.6), and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page.

Metadata

Created: 2024-02-21T00:31:31Z
Modified: 2025-07-29T13:05:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-mh9r-9pcx-rx55/GHSA-mh9r-9pcx-rx55.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-mh9r-9pcx-rx55
Finding: F007
Auto approve: 1