Base Score

HIGH7.2

CVE-2021-33335

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.

VectorNETWORK

Published Bycve@mitre.org

Published DateAug 03, 2021, 22:15

Affected Versions(3)

com.liferay.portal:release.portal.bom(Maven)

Introduced7.0.3

Fixed7.3.5

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced7.1.0

Fixed7.1.10.fp20

LimitN/A

com.liferay.portal:release.dxp.bom(Maven)

Introduced7.2.0

Fixed7.2.10.fp9

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.liferay.portal:release.portal.bom(Maven)	7.0.3	7.3.5	N/A
com.liferay.portal:release.dxp.bom(Maven)	7.1.0	7.1.10.fp20	N/A
com.liferay.portal:release.dxp.bom(Maven)	7.2.0	7.2.10.fp9	N/A

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

7.2

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

HIGH7.2

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

7.2

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH