CVE-2021-33320
Liferay Portal and Liferay DXP vulnerable to email spam via lack of flagging rate
4.3
MEDIUM
CVSS 3.1
EPSS 0.39%
Description
The Flags module before version 5.0.11 in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails
How to fix CVE-2021-33320
To remediate CVE-2021-33320, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.11 or later
- —upgrade to 7.0.10.fp96 or later
Is CVE-2021-33320 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 5.0.11
- >= 7.0.0, < 7.0.10.fp96
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |