CyberSec.Space Logo
Back to CVE Browser

CVE-2021-33990

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1240%
EPSS Percentile13.33th
PublishedApr 16, 2023
Last ModifiedNov 21, 2024

Vulnerability Description

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.

Affected Platforms (CPE)

πŸ“¦
Liferay

Liferay Portal

= 6.2.5

References & Advisories

πŸ”— http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html
πŸ”— https://github.com/fu2x2000/Liferay_exploit_Poc
πŸ”— http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html
πŸ”— https://github.com/fu2x2000/Liferay_exploit_Poc

Related Vulnerabilities

CVE-2019-168919.8

Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.

CVE-2020-79619.8

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JS...

CVE-2020-134458.8

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the temp...

CVE-2021-290538.8

Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated us...