PT-2021-20119 · Liferay · Liferay Portal+1

Published

2021-08-04

Updated

2022-05-24

CVE-2021-33338

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.0 through 7.3.2 Liferay DXP versions 7.1 before fix pack 19 Liferay DXP versions 7.2 before fix pack 6

Description The Layout module in the affected software exposes the CSRF token in URLs, allowing man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p auth parameter.

Recommendations For Liferay Portal versions 7.1.0 through 7.3.2, update to a version that includes the fix for the Layout module. For Liferay DXP versions 7.1 before fix pack 19, apply fix pack 19 or later. For Liferay DXP versions 7.2 before fix pack 6, apply fix pack 6 or later. As a temporary workaround, consider restricting access to the Layout module to minimize the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2021-33338

GHSA-4FRG-RPX6-96QH

Affected Products

Liferay Dxp

Liferay Portal

PT-2021-20119 · Liferay · Liferay Portal+1

CVE-2021-33338

Weakness Enumeration

Related Identifiers

Affected Products

References · 8