Description

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.

Remediation

References

CVE-2021-33334

Related Vulnerabilities

WordPress Plugin WP Photo Album Plus Cross-Site Scripting (5.0.10)

OpenSSL Resource Management Errors Vulnerability (CVE-2011-4577)

Liferay Portal Deserialization of Untrusted Data Vulnerability (CVE-2019-16891)

Chamilo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-26746)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-8669)

Severity

Medium

Classification

CVE-2021-33334 CWE-276 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities