Description

The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.

Remediation

References

CVE-2021-33324

Related Vulnerabilities

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-38263)

WordPress Plugin Wordfence Security-Firewall & Malware Scan Cross-Site Scripting (7.6.0)

WordPress Plugin PickPlugins Product Slider for WooCommerce Cross-Site Scripting (1.13.21)

WordPress Plugin Easy Gallery Slideshow Cross-Site Scripting (1.1)

WordPress Plugin Conditional Marketing Mailer for WooCommerce Cross-Site Request Forgery (1.5.2)

Severity

Medium

Classification

CVE-2021-33324 CWE-276 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities