CVE-2021-33327

The Portlet Configuration module in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if "Role Visibility" is enabled.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
liferaydigital_experience_platform
7.0:fix_pack_93
liferaydigital_experience_platform
7.0:fix_pack_94
liferaydigital_experience_platform
7.1:fix_pack_18
liferaydigital_experience_platform
7.2
liferaydigital_experience_platform
7.2:fix_pack_1
liferaydigital_experience_platform
7.2:fix_pack_2
liferaydigital_experience_platform
7.2:fix_pack_3
liferaydigital_experience_platform
7.2:fix_pack_4
liferaydigital_experience_platform
7.2:fix_pack_5
liferaydigital_experience_platform
7.2:fix_pack_6
liferaydigital_experience_platform
7.2:fix_pack_7
liferayliferay_portal
7.2.0 ≤
𝑥
< 7.3.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://issues.liferay.com/browse/LPE-17075
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840
https://issues.liferay.com/browse/LPE-17075
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747840