CVE-2021-33334
Description
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions, which allows remote attackers with the forms "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP Dynamic Data Mapping module improperly checks permissions, allowing users with 'Access in Site Administration' to view all forms and entries.
Vulnerability
The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.2, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 6, does not properly check user permissions [1]. This allows remote attackers who possess the "Access in Site Administration" permission to view all forms and form entries in a site via the forms section in site administration [1].
Exploitation
Exploitation requires the attacker to have the "Access in Site Administration" permission for a site [1]. The attacker can then navigate to the forms section in site administration and view all forms and their entries without additional authorization checks [1]. No other privileges or user interaction are needed beyond the specified permission.
Impact
An attacker with the "Access in Site Administration" permission can view all forms and form entries in a site, leading to unauthorized disclosure of sensitive data submitted through forms [1]. The confidentiality of form data is compromised, potentially exposing personal or business-critical information.
Mitigation
Liferay released fixes for the affected versions: Liferay DXP 7.0 fix pack 94, 7.1 fix pack 19, 7.2 fix pack 6, and Liferay Portal 7.3.3 or later [1]. Users should upgrade to these fixed versions. If immediate upgrade is not possible, restrict the "Access in Site Administration" permission to trusted users only as a workaround.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.0.0, <= 7.3.2 | — |
com.liferay.portal:release.dxp.bomMaven | >= 7.0.10.fp0, < 7.0.10.fp94 | 7.0.10.fp94 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp19 | 7.1.10.fp19 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp6 | 7.2.10.fp6 |
Affected products
5- Liferay/Liferay Portaldescription
- Range: 7.0.0 through 7.3.2
- ghsa-coords2 versions
>= 7.0.10.fp0, < 7.0.10.fp94+ 1 more
- (no CPE)range: >= 7.0.10.fp0, < 7.0.10.fp94
- (no CPE)range: >= 7.0.0, <= 7.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g37f-j8hh-736fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33334ghsaADVISORY
- issues.liferay.com/browse/LPE-17039ghsax_refsource_CONFIRMWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748332ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.