CVE-2021-29047

HIGH

Liferay Portal 7.3.4-7.3.5 and DXP < 7.3.10.fp1 - Improper Authentication via SimpleCaptcha Reuse

Title source: llm

Description

The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

http://liferay.com

Vendor Advisory x_refsource_misc

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-287

Status published

Products (6)

com.liferay.portal/release.dxp.bom 0 - 7.3.10.fp1Maven

com.liferay.portal/release.portal.bom 7.3.4 - 7.3.6Maven

liferay/dxp 7.3

liferay/dxp < 7.3

liferay/liferay_portal 7.3.4

liferay/liferay_portal 7.3.5

Published May 16, 2021

Tracked Since Feb 18, 2026