CVE-2021-33325
Liferay Portal and Liferay DXP Stores User Passwords in Cleartext
4.9
MEDIUM
CVSS 3.1
EPSS 0.12%
Description
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
How to fix CVE-2021-33325
To remediate CVE-2021-33325, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.10.fp93 or later
- —no fix listed
Is CVE-2021-33325 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 7.0.10.fp93
- >= 7.3.0, <= 7.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |