Vulnerability Details CVE-2021-33324
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 32.5%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- https://issues.liferay.com/browse/LPE-17001
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063
- https://issues.liferay.com/browse/LPE-17001
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063
Products affected by CVE-2021-33324
-
cpe:2.3:a:liferay:dxp:7.1
-
cpe:2.3:a:liferay:dxp:7.2
-
cpe:2.3:a:liferay:liferay_portal:7.1.0
-
cpe:2.3:a:liferay:liferay_portal:7.1.1
-
cpe:2.3:a:liferay:liferay_portal:7.1.2
-
cpe:2.3:a:liferay:liferay_portal:7.1.3
-
cpe:2.3:a:liferay:liferay_portal:7.2
-
cpe:2.3:a:liferay:liferay_portal:7.2.0
-
cpe:2.3:a:liferay:liferay_portal:7.2.1
-
cpe:2.3:a:liferay:liferay_portal:7.3
-
cpe:2.3:a:liferay:liferay_portal:7.3.0
-
cpe:2.3:a:liferay:liferay_portal:7.3.1