Low
CVE-2021-33331
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-33331
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the ‘redirect’ parameter.
Add Assessment
Ratings
-
Attacker ValueLow
Technical Analysis
Additional information added by the discoverer at https://liferay.atlassian.net/browse/LPE-17022
Steps to reproduce:
- Create a Web Content Folder Folder1
- Configure Folder1 with Workflow Single Approver
- Create a Web Content WC1 in Folder1
- Go to Notifications
- Copy the link of the new notification.
- Replace the value of the redirect parameter with http%3A%2F%2Fwww.liferay.com
Expected result:
- The user is not redirected to a page within [https://www.liferay.com|https://www.liferay.com/]
Actual result:
- The user is redirected to a page with [https://www.liferay.com|https://www.liferay.com/]
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- liferay
Products
- dxp 7.0,
- dxp 7.1,
- dxp 7.2,
- liferay portal
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
