CVE-2021-33338 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.1.0 <7.1.10.fp19 || >=7.2.0 <7.2.10.fp6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0011 pctl0.30061

Details

Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.

Metadata

Created: 2022-05-24T19:10:01Z
Modified: 2025-05-28T20:14:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4frg-rpx6-96qh/GHSA-4frg-rpx6-96qh.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-4frg-rpx6-96qh
Finding: F007
Auto approve: 1