CVE-2021-33332

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.0 through 7.3.2 Liferay DXP versions 7.1 before fix pack 19 Liferay DXP versions 7.2 before fix pack 7

Description A cross-site scripting (XSS) issue in the Portlet Configuration module allows remote attackers to inject arbitrary web script or HTML via the com liferay portlet configuration css web portlet PortletConfigurationCSSPortlet portletResource parameter. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.1.0 through 7.3.2, update to a version outside of this range or apply the necessary fix pack. For Liferay DXP version 7.1, apply fix pack 19 or later. For Liferay DXP version 7.2, apply fix pack 7 or later. As a temporary workaround, consider restricting access to the com liferay portlet configuration css web portlet PortletConfigurationCSSPortlet portletResource parameter to minimize the risk of exploitation.