CVE-2021-33338: Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs

May 24, 2022 (updated May 28, 2025)

The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.

References

github.com/advisories/GHSA-4frg-rpx6-96qh
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17030
nvd.nist.gov/vuln/detail/CVE-2021-33338
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748276

Code Behaviors & Features

Detect and mitigate CVE-2021-33338 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →