CVE-2021-33328

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.0.0 through 7.3.4 Liferay DXP versions 7.0 through 7.0 before fix pack 96 Liferay DXP versions 7.1 through 7.1 before fix pack 20 Liferay DXP versions 7.2 through 7.2 before fix pack 9

Description A cross-site scripting (XSS) issue exists in the Asset module's edit vocabulary page, allowing remote attackers to inject arbitrary web script or HTML via the com liferay journal web portlet JournalPortlet name or com liferay document library web portlet DLAdminPortlet name parameter.

Recommendations For Liferay Portal versions 7.0.0 through 7.3.4, update to a version after 7.3.4 to resolve the issue. For Liferay DXP version 7.0, apply fix pack 96 or later. For Liferay DXP version 7.1, apply fix pack 20 or later. For Liferay DXP version 7.2, apply fix pack 9 or later. As a temporary workaround, consider restricting access to the edit vocabulary page in the Asset module until a patch is available.