Description
Liferay Portal 7.2.0 through 7.3.2 allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.
Severity
Severity 2
Fixed Version(s)
- Liferay Portal 7.3.3
- May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page.
Acknowledgments
This issue was reported by Prajwal Khante
Publication date: Mon, 10 May 2021 16:00:00 +0000