First published: Sun Apr 16 2023(Updated: )
** DISPUTED ** Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay Liferay Portal | =6.2.5 | |
=6.2.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2021-33990.
The severity of CVE-2021-33990 is critical with a severity value of 9.8.
Liferay Portal version 6.2.5 is affected by CVE-2021-33990.
The CWE ID for CVE-2021-33990 is CWE-281.
Yes, there are exploit references available for CVE-2021-33990. You can find them at the following links: [http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html](http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html) and [https://github.com/fu2x2000/Liferay_exploit_Poc](https://github.com/fu2x2000/Liferay_exploit_Poc).