CVE-2021-29051

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.2.1 through 7.3.5 Liferay DXP versions 7.1 before fix pack 21 Liferay DXP versions 7.2 before fix pack 10 Liferay DXP versions 7.3 before fix pack 1

Description: A cross-site scripting (XSS) issue exists in the Asset module's Asset Publisher app, allowing remote attackers to inject arbitrary web script or HTML via the com liferay asset publisher web portlet AssetPublisherPortlet INSTANCE XXXXXXXXXXXX assetEntryId parameter. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations: For Liferay Portal versions 7.2.1 through 7.3.5, update to a version outside of this range to resolve the issue. For Liferay DXP version 7.1, apply fix pack 21 or later. For Liferay DXP version 7.2, apply fix pack 10 or later. For Liferay DXP version 7.3, apply fix pack 1 or later. As a temporary workaround, consider restricting access to the com liferay asset publisher web portlet AssetPublisherPortlet INSTANCE XXXXXXXXXXXX assetEntryId parameter in the Asset Publisher app to minimize the risk of exploitation.