CVE-2021-33331 — Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External UR

Description

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.

How to fix CVE-2021-33331

To remediate CVE-2021-33331, upgrade the affected package to a fixed version below.

—upgrade to 7.0.10.fp94 or later
—no fix listed

Is CVE-2021-33331 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.0.10.fp0, < 7.0.10.fp94
>= 7.0.0, <= 7.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33331
PATCHgithub.com/liferay/liferay-portal
WEBissues.liferay.com/browse/LPE-17022
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627