CVE-2021-29044

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.0.0 through 7.3.5 Liferay DXP 7.0 before fix pack 97 Liferay DXP 7.1 before fix pack 21 Liferay DXP 7.2 before fix pack 10 Liferay DXP 7.3 before fix pack 1

Description: A cross-site scripting (XSS) issue exists in the Site module's membership request administration pages. This allows remote attackers to inject arbitrary web script or HTML via the com liferay site my sites web portlet MySitesPortlet comments parameter.

Recommendations: For Liferay Portal versions 7.0.0 through 7.3.5, update to a version outside of this range to resolve the issue. For Liferay DXP 7.0, apply fix pack 97 or later. For Liferay DXP 7.1, apply fix pack 21 or later. For Liferay DXP 7.2, apply fix pack 10 or later. For Liferay DXP 7.3, apply fix pack 1 or later. As a temporary workaround, consider restricting access to the com liferay site my sites web portlet MySitesPortlet comments parameter in the affected API endpoint until a patch is available.