Description

Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Remediation

References

CVE-2021-33330

Related Vulnerabilities

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-5335)

WordPress Plugin WP REST API (WP API) Information Disclosure (1.2)

Ruby on Rails Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-0447)

PHP Other Vulnerability (CVE-2015-6832)

WordPress Plugin Plug-N-Edit Full Drag & Drop HTML Visual Editor with Web Page Builder WYSIWYG Cross-Site Scripting (5.2.0)

Severity

Medium

Classification

CVE-2021-33330 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities