LSV-684: CORS should not work with Portal Session authentication

Affects versions

7.2 DXP (7.2.10)

Fix versions

7.2.X EE

7.0 Fix Pack Version

None

7.1 Fix Pack Version

None

7.2 Fix Pack Version

7.3 Fix Pack Version

None

7.4 Fix Pack Version

None

CVE IDs

CVE-2021-33330

CVSS Base Score

3.1

CVSS Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Labels

liferay-dxp-72-sp4liferay-fixpack-dxp-9-7210liferay-fixpack-dxp-dxp-9-7210

Description

Liferay DXP 7.2 allows access to Cross-origin resource sharing (CORS) protected resources even if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the user email address and the current CSRF token.

Activity

Show:

Fixed

Pinned fields

Click on the next to a field label to start pinning.

Details
Assignee
EE Support
Reporter
Enterprise Release HU
Priority
Low
Components

Zendesk Support

Created October 28, 2020 at 4:38 PM

Updated August 2, 2021 at 12:10 AM

Resolved December 14, 2020 at 8:04 AM

LSV-684: CORS should not work with Portal Session authentication

Affects versions

Fix versions

7.0 Fix Pack Version

7.1 Fix Pack Version

7.2 Fix Pack Version

7.3 Fix Pack Version

7.4 Fix Pack Version

CVE IDs

CVSS Base Score

CVSS Vector String

Labels

Description

Activity

DetailsAssigneeEE SupportEE SupportReporterEnterprise Release HUEnterprise Release HUPriorityLowComponents

Details

Assignee

Reporter

Priority

Components

Zendesk SupportLinked Tickets

Zendesk Support

Details
Assignee
EE Support
Reporter
Enterprise Release HU
Priority
Low
Components

Zendesk Support