CVE-2021-33321

HIGH

Liferay Portal <7.3 - Info Disclosure

Title source: llm

Description

Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.

References (2)

[Release Notes, Vendor Advisory] https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748055

[Vendor Advisory] https://help.liferay.com/hc/en-us/articles/360050785632

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-640

Status published

Products (4)

com.liferay.portal/com.liferay.portal.impl 0 - 5.11.0Maven

com.liferay.portal/release.portal.bom 0 - 7.3.3Maven

liferay/dxp < 7.3

liferay/liferay_portal 6.2.3 - 7.3.3

Published Aug 03, 2021

Tracked Since Feb 18, 2026