CVE-2021-33321

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-33321

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33321.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-33321

Aliases

GHSA-jfch-m2x3-2v66

Published

2021-08-03T19:15:08.590Z

Modified

2026-03-14T11:10:26.414041Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.

References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type

GIT

Repo

https://github.com/liferay/liferay-portal

Events

Introduced

20502a3ea3a6498a038b27530f3f35f3a511ec75

Fixed

77b773677e0fa17b1a869414ad66220245ba96a8

Database specific

{
    "versions": [
        {
            "introduced": "6.2.3"
        },
        {
            "fixed": "7.3.3"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33321.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "7.3"
            }
        ]
    }
]