CVE-2021-33322

high-risk

Published 2021-08-03

In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.

Do I need to act?

-

0.22% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

7

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Affected Vendors

Liferay

References (4)

Patch https://issues.liferay.com/browse/LPE-16981

Release Notes https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...

Patch https://issues.liferay.com/browse/LPE-16981

Release Notes https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...

56

/ 100

high-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 29/34 · Critical