PT-2021-20114 · Liferay · Liferay Portal+1

Published

2021-08-03

Updated

2022-05-24

CVE-2021-33333

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 and earlier Liferay DXP 7.0 before fix pack 93 Liferay DXP 7.1 before fix pack 19 Liferay DXP 7.2 before fix pack 6

Description The Portal Workflow module does not properly check user permission, allowing remote authenticated users to view and delete workflow submissions via crafted URLs.

Recommendations For Liferay Portal versions 7.3.2 and earlier, update to a version later than 7.3.2. For Liferay DXP 7.0, apply fix pack 93 or later. For Liferay DXP 7.1, apply fix pack 19 or later. For Liferay DXP 7.2, apply fix pack 6 or later.

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

CVE-2021-33333

GHSA-G7XC-M762-WG8F

Affected Products

Liferay Dxp

Liferay Portal

PT-2021-20114 · Liferay · Liferay Portal+1

CVE-2021-33333

Weakness Enumeration

Related Identifiers

Affected Products

References · 7