GHSA-6xxc-4jc4-7jv3

Source

https://github.com/advisories/GHSA-6xxc-4jc4-7jv3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6xxc-4jc4-7jv3/GHSA-6xxc-4jc4-7jv3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6xxc-4jc4-7jv3

Aliases

CVE-2021-33330

Published

2022-05-24T22:28:20Z

Modified

2024-02-16T08:05:52.741828Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Exposure of Resource to Wrong Sphere in Liferay Portal

Details

Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Database specific

{
    "nvd_published_at": "2021-08-03T19:15:00Z",
    "cwe_ids": [
        "CWE-668"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-09T13:17:26Z"
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0

Fixed

7.3.3

Affected versions

7.*

7.2.0

7.2.1

7.2.1-1

7.3.0

7.3.0-1

7.3.1

7.3.1-1

7.3.2

7.3.2-1