CVE-2021-33321
Liferay Portal and Liferay DXP insecure default configuration
7.5
HIGH
CVSS 3.1
EPSS 0.31%
Description
Insecure default configuration in portal services implementation before 5.11.0 in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
How to fix CVE-2021-33321
To remediate CVE-2021-33321, upgrade the affected package to a fixed version below.
- —upgrade to 5.11.0 or later
- —upgrade to 7.3.3 or later
Is CVE-2021-33321 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 5.11.0
- from 0, < 7.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |