CVE-2021-33334 Information

Description

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2 and Liferay DXP 7.0 before fix pack 94 7.1 before fix pack 19 and 7.2 before fix pack 6 does not properly check user permissions which allows remote attackers with the forms \Access in Site Administration\ permission to view all forms and form entries in a site via the forms section in site administration.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

https://issues.liferay.com/browse/LPE-17039 https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3