CVE-2021-33332 in Liferayinfo

Summary

by MITRE • 08/04/2021

Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/14/2025

The vulnerability CVE-2021-33332 represents a critical cross-site scripting flaw within the Portlet Configuration module of Liferay Portal and Liferay DXP platforms. This security weakness affects versions ranging from Liferay Portal 7.1.0 through 7.3.2 and specific DXP versions before their respective fix packs, creating a significant risk for organizations utilizing these enterprise portal solutions. The vulnerability specifically targets the parameter _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource which handles portlet resource management within the portal's configuration interface.

The technical implementation of this vulnerability stems from insufficient input validation and output encoding within the portlet configuration module. When the system processes the portletResource parameter without proper sanitization, it fails to adequately escape or filter malicious script content that could be embedded within the parameter value. This allows remote attackers to inject arbitrary web scripts or HTML content that gets executed in the context of other users' browsers who access the affected portal pages. The flaw operates as a classic reflected XSS vulnerability where malicious input is immediately reflected back to users without proper security controls.

The operational impact of this vulnerability extends beyond simple script injection, potentially enabling attackers to perform session hijacking, deface portal interfaces, steal sensitive user information, or redirect victims to malicious websites. Given that Liferay Portal serves as a foundational enterprise platform for many organizations, the exploitation of this vulnerability could compromise entire portal ecosystems and potentially lead to broader system compromise. Attackers could leverage this flaw to establish persistent access or conduct further reconnaissance activities within the affected environments.

Security mitigations for CVE-2021-33332 should prioritize immediate application of vendor-provided patches and fix packs, specifically targeting Liferay Portal 7.3.2 and DXP 7.1/7.2 versions before their respective fix packs. Organizations should implement robust input validation mechanisms and output encoding controls within their portal configurations, ensuring that all user-supplied parameters undergo strict sanitization before processing. The vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws, and its exploitation patterns correspond to techniques described in the ATT&CK framework under T1566 for credential access and T1059 for command and scripting interpreter. Network segmentation and monitoring of suspicious parameter values can provide additional defense-in-depth measures while organizations should conduct comprehensive security assessments of their portal configurations to identify similar vulnerabilities in other components of their Liferay implementations.

Reservation

05/20/2021

Disclosure

08/04/2021

Moderation

accepted

CPE

ready

EPSS

0.00845

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!