CVE-2021-33335: Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers

May 24, 2022 (updated May 28, 2025)

Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator user.

References

github.com/advisories/GHSA-5gh9-g62h-f35m
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17103
nvd.nist.gov/vuln/detail/CVE-2021-33335
web.archive.org/web/20220828222916/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747906

Code Behaviors & Features

Detect and mitigate CVE-2021-33335 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →