CVE-2021-29048

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.3.4 through 7.3.5 Liferay DXP versions 7.2 before fix pack 11 Liferay DXP versions 7.3 before fix pack 1

Description: A cross-site scripting (XSS) issue exists in the Layout module's page administration page, allowing remote attackers to inject arbitrary web script or HTML via the com liferay layout admin web portlet GroupPagesPortlet name parameter. This enables attackers to execute malicious scripts on the client-side.

Recommendations: For Liferay Portal versions 7.3.4 through 7.3.5, apply fix pack 1 or later to resolve the issue. For Liferay DXP versions 7.2 before fix pack 11, apply fix pack 11 or later to resolve the issue. For Liferay DXP versions 7.3 before fix pack 1, apply fix pack 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Layout module's page administration page until a fix is applied. Avoid using the com liferay layout admin web portlet GroupPagesPortlet name parameter in the affected page until the issue is resolved.