CVE-2021-33338
Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs
7.5
HIGH
CVSS 3.1
EPSS 0.11%
Description
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.
How to fix CVE-2021-33338
To remediate CVE-2021-33338, upgrade the affected package to a fixed version below.
- —upgrade to 7.1.10.fp19 or later
- —upgrade to 7.3.3 or later
Is CVE-2021-33338 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.1.0, < 7.1.10.fp19
- >= 7.1.0, < 7.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |