PT-2021-18044 · Liferay · Liferay Portal+1
Published
2021-05-17
·
Updated
2022-05-24
·
CVE-2021-29046
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Liferay Portal versions 7.3.5
Liferay DXP versions 7.3 before fix pack 1
Description:
A cross-site scripting (XSS) issue exists in the Asset module's category selector input field, allowing remote attackers to inject arbitrary web script or HTML via the
com liferay asset categories admin web portlet AssetCategoriesAdminPortlet title parameter.Recommendations:
For Liferay Portal version 7.3.5, update to a version that includes fix pack 1 or later.
For Liferay DXP version 7.3 before fix pack 1, apply fix pack 1 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
com liferay asset categories admin web portlet AssetCategoriesAdminPortlet title parameter in the Asset module's category selector input field until a patch is available.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal