CVE-2021-33323: Liferay Portal and Liferay DXP autosaves form data for other users to see

May 24, 2022 (updated June 27, 2025)

The Dynamic Data Mapping module in Dynamic Data Mapping Form Web before 3.0.23 in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.

References

github.com/advisories/GHSA-fxpf-jr2q-vpvv
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17049
nvd.nist.gov/vuln/detail/CVE-2021-33323
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107

Code Behaviors & Features

Detect and mitigate CVE-2021-33323 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →