CVE-2021-33321 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=0 <7.3.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00313 pctl0.5387

Details

Liferay Portal and Liferay DXP insecure default configuration Insecure default configuration in portal services implementation before 5.11.0 in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.

Metadata

Created: 2022-05-24T19:09:46Z
Modified: 2025-06-27T21:40:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfch-m2x3-2v66/GHSA-jfch-m2x3-2v66.json
CWE IDs: ["CWE-640"]
Alternative ID: GHSA-jfch-m2x3-2v66
Finding: F087
Auto approve: 1