CVE-2021-33324 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.1.0 <7.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00121 pctl0.31869

Details

Liferay Portal and Liferay DXP Don't Check Permissions of Pages The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.

Metadata

Created: 2022-05-24T19:09:46Z
Modified: 2025-05-28T20:12:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-474f-cmx5-gm69/GHSA-474f-cmx5-gm69.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-474f-cmx5-gm69
Finding: F159
Auto approve: 1