CVE-2021-33322
Description
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the users password via the old password reset token.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
0.223
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-33322,CVE-2021-33326,CVE-2021-33320 are fixed in Liferay - release.dxp.bom 7.0.10 | Windows |
| Vulnerabilities CVE-2021-33322,CVE-2021-33336,CVE-2020-13445 are fixed in Liferay - release.dxp.bom 7.1.10 | Windows |
| Vulnerabilities CVE-2023-47798,CVE-2021-33322,CVE-2021-33320,CVE-2021-33324,CVE-2020-15842 are fixed in Liferay - release.dxp.bom 7.2.10 | Windows |
| Vulnerabilities CVE-2021-33322 are fixed in Liferay - com.liferay.portal.impl 5.7.3 | Windows |
| Vulnerabilities CVE-2021-33322,CVE-2021-33326,CVE-2021-33320 are fixed in Liferay - release.dxp.bom for Linux 7.0.10 | Linux |
| Vulnerabilities CVE-2021-33322,CVE-2021-33336,CVE-2020-13445 are fixed in Liferay - release.dxp.bom for Linux 7.1.10 | Linux |
| Vulnerabilities CVE-2023-47798,CVE-2021-33322,CVE-2021-33320,CVE-2021-33324,CVE-2020-15842 are fixed in Liferay - release.dxp.bom for Linux 7.2.10 | Linux |
| Vulnerabilities CVE-2021-33322 are fixed in Liferay - com.liferay.portal.impl for Linux 5.7.3 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234