Description

The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

Remediation

References

CVE-2021-33323

Related Vulnerabilities

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-9062)

WordPress Plugin Simple Download Monitor Cross-Site Scripting (3.5.3)

WordPress Plugin Calendar Event Multi View Unspecified Vulnerability (1.3.58)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-3007)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-1606)

Severity

High

Classification

CVE-2021-33323 CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities