CVE-2021-33322 — Insufficient Session Expiration in Portal

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 54.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedAug 3

Latest updateMay 24

Description

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDliferay/liferay_portal< 7.3.1

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

Patches

Patch: issues.liferay.com ↗Patch: issues.liferay.com ↗

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use↗2022-05-24

▶

GHSA

Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use↗2022-05-24

▶

CVEList

CVE-2021-33322: In Liferay Portal 7↗2021-08-03

▶