Vulnerability Details CVE-2021-33327
The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.0%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- https://issues.liferay.com/browse/LPE-17075
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840
- https://issues.liferay.com/browse/LPE-17075
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840
Products affected by CVE-2021-33327
-
cpe:2.3:a:liferay:dxp:7.0
-
cpe:2.3:a:liferay:dxp:7.1
-
cpe:2.3:a:liferay:dxp:7.2
-
cpe:2.3:a:liferay:liferay_portal:7.2.0
-
cpe:2.3:a:liferay:liferay_portal:7.2.1
-
cpe:2.3:a:liferay:liferay_portal:7.3
-
cpe:2.3:a:liferay:liferay_portal:7.3.0
-
cpe:2.3:a:liferay:liferay_portal:7.3.1
-
cpe:2.3:a:liferay:liferay_portal:7.3.2
-
cpe:2.3:a:liferay:liferay_portal:7.3.3