CVE-2021-33331 — Open Redirect in Portal

CWE-601 — Open Redirect4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 42.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedAug 3

Latest updateMay 24

Description

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDliferay/liferay_portal7.0.0 — 7.3.2

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

Patches

Patch: issues.liferay.com ↗Patch: issues.liferay.com ↗

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External URLs↗2022-05-24

▶

OSV

Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External URLs↗2022-05-24

▶

CVEList

CVE-2021-33331: Open redirect vulnerability in the Notifications module in Liferay Portal 7↗2021-08-03

▶