CVE-2021-33990

Name of the Vulnerable Software and Affected Versions Liferay Portal version 6.2.5

Description The issue allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.

Recommendations For Liferay Portal version 6.2.5, as a temporary workaround, consider restricting access to the frmfolders.html file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.