CVE-2021-33333
MEDIUMLiferay Portal <7.3.2 & DXP <7.0-7.2 - Privilege Escalation
Title source: llmDescription
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747742
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17032
Scores
CVSS v3
6.3
EPSS
0.0029
EPSS Percentile
51.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-276
Status
published
Products (3)
com.liferay.portal/release.dxp.bom
0 - 7.0.10.fp93Maven
com.liferay.portal/release.portal.bom
0Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026