CVE-2021-33990

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-33990
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33990.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-33990
Published
2023-04-16T04:15:07.967Z
Modified
2026-03-15T22:45:17.938798Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.

References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type
GIT
Repo
https://github.com/liferay/liferay-portal
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
65d7a800f1a57b232a127bdcaefb876a9de469f9
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.2.5"
        }
    ]
}

Affected versions

6.*
6.1.0-b1
6.1.0-b2
6.1.0-b3
6.1.0-b4
6.1.0-rc1
6.2.0-b1
6.2.0-b2
6.2.0-ga1
6.2.0-m2
6.2.0-m3
6.2.0-m4
6.2.0-m5
6.2.0-m6
6.2.0-rc1
6.2.0-rc2
6.2.0-rc3
6.2.0-rc4
6.2.0-rc5
6.2.0-rc6
6.2.1-ga2
6.2.2-ga3
6.2.3-ga4
6.2.4-ga5
6.2.5-ga6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33990.json"