CVE-2021-33331

MEDIUM6.1EPSS 0.36%

Liferay Portal and Liferay DXP Allows Arbitrary Redirect of Users to External URLs

Published: 5/24/2022Modified: 5/28/2025

Description

Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.

Affected packages (2)

Maven/com.liferay.portal:release.dxp.bom>= 7.0.10.fp0, < 7.0.10.fp94
Maven/com.liferay.portal:release.portal.bom>= 7.0.0, <= 7.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33331
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://issues.liferay.com/browse/LPE-17022
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627