CVE-2021-29049

Name of the Vulnerable Software and Affected Versions: Liferay DXP versions 7.0 through 7.0 before fix pack 99 Liferay DXP versions 7.1 through 7.1 before fix pack 23 Liferay DXP versions 7.2 through 7.2 before fix pack 12 Liferay DXP versions 7.3 through 7.3 before fix pack 1

Description: A cross-site scripting (XSS) issue exists in the Portal Workflow module's edit process page, allowing remote attackers to inject arbitrary web script or HTML via the currentURL parameter.

Recommendations: For Liferay DXP version 7.0 before fix pack 99, update to fix pack 99 or later. For Liferay DXP version 7.1 before fix pack 23, update to fix pack 23 or later. For Liferay DXP version 7.2 before fix pack 12, update to fix pack 12 or later. For Liferay DXP version 7.3 before fix pack 1, update to fix pack 1 or later. As a temporary workaround, consider restricting access to the currentURL parameter in the affected API endpoint until a patch is available.