CVE-2021-33334Incorrect Default Permissions in Portal

CWE-276Incorrect Default Permissions4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 76.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay PortalLiferay Digital Experience Platform
Timeline
PublishedAug 3
Latest updateMay 24

Description

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDliferay/liferay_portal7.0.07.3.3

Patches

Patch: issues.liferay.comPatch: issues.liferay.com

🔴Vulnerability Details

3
OSV
Liferay Portal and Liferay DXP Fails to Properly Check User Permissions2022-05-24
GHSA
Liferay Portal and Liferay DXP Fails to Properly Check User Permissions2022-05-24
CVEList
CVE-2021-33334: The Dynamic Data Mapping module in Liferay Portal 72021-08-03
CVE-2021-33334 — Incorrect Default Permissions | cvebase