CVE-2020-25476

Name of the Vulnerable Software and Affected Versions: Liferay CMS Portal versions 7.1.3 through 7.2.1

Description: The issue is a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert a malicious payload on the username, lastname, or surname fields of their own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. This could allow an attacker to escalate their privileges if an admin visits the calendar that injected the payload.

Recommendations: For Liferay CMS Portal version 7.1.3, update to a version that fixes the blind persistent XSS vulnerability. For Liferay CMS Portal version 7.2.1, update to a version that fixes the blind persistent XSS vulnerability. As a temporary workaround, consider restricting access to the Calendar feature to minimize the risk of exploitation.