Fluid Attacks Database

Description

Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.1.0 <7.3.3	7.3.3
maven	com.liferay.portal:release.dxp.bom	>=7.1.0 <7.1.10.fp19 \|\| >=7.2.0 <7.2.10.fp6	7.1.10.fp19, 7.2.10.fp6

Aliases

1. CVE-2021-333382. NVD-2021-333383. OSV-2021-333384. GCVE-2021-33338

References

1. https://issues.liferay.com/browse/LPE-170302. https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276