CVE-2021-33330
Description
Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP CORS bypass allows remote attackers to obtain sensitive information like email and CSRF token via portal session authentication.
Vulnerability
In Liferay Portal 7.2.0 through 7.3.2 and Liferay DXP 7.2 before fix pack 9, Cross-Origin Resource Sharing (CORS) protected resources can be accessed if the user is authenticated only using portal session authentication. This allows an attacker to bypass CORS restrictions. [1]
Exploitation
An attacker, able to make cross-origin requests to the target Liferay instance, can exploit this by tricking an authenticated user into visiting a malicious page. The attacker then obtains the user's email address and current CSRF token. [1]
Impact
Successful exploitation results in the disclosure of sensitive information, including the targeted user's email address and CSRF token. The CSRF token can be used to perform arbitrary actions on behalf of the user within the Liferay portal. [1]
Mitigation
Liferay DXP 7.2 should be upgraded to fix pack 9 or later. Liferay Portal users should upgrade to version 7.3.3 or later. If patching is not immediately possible, additional CORS configuration or CSRF token rotation may be considered. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.0, < 7.3.3 | 7.3.3 |
Affected products
4- Liferay/Liferay Portaldescription
- Range: >=7.2.0, <=7.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6xxc-4jc4-7jv3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33330ghsaADVISORY
- issues.liferay.com/browse/LPE-17127ghsax_refsource_CONFIRMWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747720ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.