PT-2021-20105 · Liferay · Liferay Portal+1
Published
2021-08-03
·
Updated
2022-05-24
·
CVE-2021-33324
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.1.0 through 7.3.1
Liferay DXP versions 7.1 before fix pack 20
Liferay DXP versions 7.2 before fix pack 5
Description
The Layout module does not properly check permission of pages, allowing remote authenticated users without view permission of a page to view the page via a site's page administration.
Recommendations
For Liferay Portal versions 7.1.0 through 7.3.1, update to a version that includes the fix for the permission checking issue.
For Liferay DXP versions 7.1 before fix pack 20, apply fix pack 20 or later to resolve the issue.
For Liferay DXP versions 7.2 before fix pack 5, apply fix pack 5 or later to resolve the issue.
As a temporary workaround, consider restricting access to the site's page administration for remote authenticated users without view permission of a page.
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal