CVE-2021-33324
Description
The Layout module in Liferay Portal 7.1.0 through 7.3.1, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 5, does not properly check permission of pages, which allows remote authenticated users without view permission of a page to view the page via a site's page administration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP Layout module fails to enforce page view permissions, allowing authenticated users to view restricted pages via page administration.
Vulnerability
The Layout module in Liferay Portal 7.1.0 through 7.3.1 and Liferay DXP 7.1 before fix pack 20 and 7.2 before fix pack 5 does not properly check permissions when viewing pages via the site's page administration interface. This allows remote authenticated users who lack view permission on a page to still view it. [1][3]
Exploitation
An attacker needs only a valid authenticated session on a Liferay instance. By navigating to the site's page administration, they can view pages that should be restricted. No special privileges or user interaction beyond authentication is required. [1][3]
Impact
Successful exploitation results in unauthorized disclosure of page content, violating confidentiality. The attacker gains the ability to view pages they are not permitted to see, potentially exposing sensitive information. The privilege level remains that of the authenticated user, but the scope of access is broader than intended. [1][3]
Mitigation
Liferay Portal 7.3 users should upgrade to 7.3 CE GA3 (7.3.2) or later. For Liferay Portal 7.2, a source patch is available for 7.2 GA2 (7.2.1). For Liferay Portal 7.1, upgrade to 7.2.1 and apply the latest patch. Liferay DXP 7.1 users should apply fix pack 20, and DXP 7.2 users fix pack 5. No workaround is mentioned. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.1.0, < 7.3.2 | 7.3.2 |
com.liferay.portal:release.dxp.bomMaven | < 7.1.10.fp20 | 7.1.10.fp20 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp5 | 7.2.10.fp5 |
Affected products
5- Liferay/Liferay Portaldescription
- Range: >=7.1.0, <=7.3.1
- ghsa-coords2 versions
< 7.1.10.fp20+ 1 more
- (no CPE)range: < 7.1.10.fp20
- (no CPE)range: >= 7.1.0, < 7.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-474f-cmx5-gm69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33324ghsaADVISORY
- issues.liferay.com/browse/LPE-17001ghsax_refsource_CONFIRMWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20220828222955/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747063ghsaWEB
News mentions
0No linked articles in our index yet.