CVE-2021-33338 — Cross-Site Request Forgery in Portal

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedAug 4

Latest updateMay 24

Description

The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDliferay/liferay_portal7.1.0 — 7.3.2

▶NVDliferay/digital_experience_platform7.1, 7.2+1

🔴Vulnerability Details

GHSA

Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs↗2022-05-24

▶

OSV

Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs↗2022-05-24

▶

CVEList

CVE-2021-33338: The Layout module in Liferay Portal 7↗2021-08-04

▶