CVE-2021-33323
Liferay Portal and Liferay DXP autosaves form data for other users to see
7.5
HIGH
CVSS 3.1
EPSS 0.42%
Description
The Dynamic Data Mapping module in Dynamic Data Mapping Form Web before 3.0.23 in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
How to fix CVE-2021-33323
To remediate CVE-2021-33323, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.23 or later
- —upgrade to 7.1.10.fp19 or later
Is CVE-2021-33323 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.0.23
- >= 7.1.0, < 7.1.10.fp19
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |