Description
The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails
References (2)
Core 2
Core References
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747590
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17007
Scores
CVSS v3
4.3
EPSS
0.0039
EPSS Percentile
60.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-770
Status
published
Products (3)
com.liferay/com.liferay.flags.taglib
0 - 5.0.11Maven
com.liferay.portal/release.dxp.bom
7.0.0 - 7.0.10.fp96Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026