First published: Tue Aug 03 2021(Updated: )
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.1 | |
Liferay DXP | =7.1-fix_pack_1 | |
Liferay DXP | =7.1-fix_pack_10 | |
Liferay DXP | =7.1-fix_pack_11 | |
Liferay DXP | =7.1-fix_pack_12 | |
Liferay DXP | =7.1-fix_pack_13 | |
Liferay DXP | =7.1-fix_pack_14 | |
Liferay DXP | =7.1-fix_pack_15 | |
Liferay DXP | =7.1-fix_pack_16 | |
Liferay DXP | =7.1-fix_pack_17 | |
Liferay DXP | =7.1-fix_pack_18 | |
Liferay DXP | =7.1-fix_pack_19 | |
Liferay DXP | =7.1-fix_pack_2 | |
Liferay DXP | =7.1-fix_pack_3 | |
Liferay DXP | =7.1-fix_pack_4 | |
Liferay DXP | =7.1-fix_pack_5 | |
Liferay DXP | =7.1-fix_pack_6 | |
Liferay DXP | =7.1-fix_pack_7 | |
Liferay DXP | =7.1-fix_pack_8 | |
Liferay DXP | =7.1-fix_pack_9 | |
Liferay DXP | =7.2 | |
Liferay DXP | =7.2-fix_pack_1 | |
Liferay DXP | =7.2-fix_pack_2 | |
Liferay DXP | =7.2-fix_pack_3 | |
Liferay DXP | =7.2-fix_pack_4 | |
Liferay Liferay Portal | >=7.1.0<7.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-33324.
The severity of CVE-2021-33324 is medium.
The affected software by CVE-2021-33324 is Liferay Portal 7.1.0 through 7.3.1 and Liferay DXP 7.1 before fix pack 20 and 7.2 before fix pack 5.
CVE-2021-33324 allows remote authenticated users without view permission of a page to view the page via a site's page administration.
You can find more information about CVE-2021-33324 at the following links: https://issues.liferay.com/browse/LPE-17001, https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063.