CVE-2021-33324
Liferay Portal and Liferay DXP Don't Check Permissions of Pages
4.3
MEDIUM
CVSS 3.1
EPSS 0.12%
Description
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
How to fix CVE-2021-33324
To remediate CVE-2021-33324, upgrade the affected package to a fixed version below.
- —upgrade to 7.1.10.fp20 or later
- —upgrade to 7.3.2 or later
Is CVE-2021-33324 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 7.1.10.fp20
- >= 7.1.0, < 7.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |