Description
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17103
Scores
CVSS v3
7.2
EPSS
0.0063
EPSS Percentile
70.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (5)
com.liferay.portal/release.dxp.bom
7.1.0 - 7.1.10.fp20Maven
com.liferay.portal/release.portal.bom
7.0.3 - 7.3.5Maven
liferay/digital_experience_platform
7.1 (20 CPE variants)
liferay/digital_experience_platform
7.2 (9 CPE variants)
liferay/liferay_portal
7.0.3 - 7.3.5
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026