CVE-2021-33320 — Allocation of Resources Without Limits or Throttling in Portal

CWE-770 — Allocation of Resources Without Limits or Throttling4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 39.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedAug 3

Latest updateMay 24

Description

The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDliferay/liferay_portal< 7.3.1

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

Patches

Patch: issues.liferay.com ↗Patch: portal.liferay.dev ↗Patch: issues.liferay.com ↗

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP vulnerable to email spam via lack of flagging rate↗2022-05-24

▶

GHSA

Liferay Portal and Liferay DXP vulnerable to email spam via lack of flagging rate↗2022-05-24

▶

CVEList

CVE-2021-33320: The Flags module in Liferay Portal 7↗2021-08-03

▶