CVE-2021-33335 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.1.0 <7.1.10.fp20 || >=7.2.0 <7.2.10.fp9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00634 pctl0.69485

Details

Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.

Metadata

Created: 2022-05-24T19:10:03Z
Modified: 2025-05-28T20:14:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5gh9-g62h-f35m/GHSA-5gh9-g62h-f35m.json
CWE IDs: ["CWE-269", "CWE-863"]
Alternative ID: GHSA-5gh9-g62h-f35m
Finding: F159
Auto approve: 1