Vulnerability Description
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Dxp | < 7.3 |
| Liferay | Liferay Portal | >= 6.2.3, < 7.3.3 |
Related Weaknesses (CWE)
References
- https://help.liferay.com/hc/en-us/articles/360050785632Vendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheRelease NotesVendor Advisory
- https://help.liferay.com/hc/en-us/articles/360050785632Vendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheRelease NotesVendor Advisory
FAQ
What is CVE-2021-33321?
CVE-2021-33321 is a vulnerability with a CVSS score of 7.5 (HIGH). Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The por...
How severe is CVE-2021-33321?
CVE-2021-33321 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-33321?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Dxp, Liferay Liferay Portal.