CVE-2021-29047: Liferay Portal and Liferay DXP Fails to Invalidate CAPTCHA Answers After Use

May 24, 2022 (updated May 14, 2025)

The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.

References

github.com/advisories/GHSA-9mxg-p873-6793
github.com/liferay/liferay-portal
nvd.nist.gov/vuln/detail/CVE-2021-29047
web.archive.org/web/20210524180455/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743467

Code Behaviors & Features

Detect and mitigate CVE-2021-29047 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →