CVE-2021-33330 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.2.0 <7.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00207 pctl0.43142

Details

Exposure of Resource to Wrong Sphere in Liferay Portal Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Metadata

Created: 2022-05-24T22:28:20Z
Modified: 2025-05-14T19:17:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6xxc-4jc4-7jv3/GHSA-6xxc-4jc4-7jv3.json
CWE IDs: ["CWE-668"]
Alternative ID: GHSA-6xxc-4jc4-7jv3
Finding: F017
Auto approve: 1