CVE-2021-33321
Description
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.313
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-24554,CVE-2021-33321 are fixed in Liferay - release.portal.bom 7.3.3 | Windows |
| Vulnerabilities CVE-2021-33321 are fixed in Liferay - com.liferay.portal.impl 5.11.0 | Windows |
| Vulnerabilities CVE-2020-24554,CVE-2021-33321 are fixed in Liferay - release.portal.bom for Linux 7.3.3 | Linux |
| Vulnerabilities CVE-2021-33321 are fixed in Liferay - com.liferay.portal.impl for Linux 5.11.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234