CVE-2021-33990

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.

Published: Apr 16, 2023
Updated: Nov 8, 2023
CVE: CVE-2021-33990
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-281

Affected Software
References

Software	From	Fixed in
liferay / liferay_portal	6.2.5	6.2.5.x

http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html
https://github.com/fu2x2000/Liferay_exploit_Poc

Vulnerability Database

290,020

CVE-2021-33990