CVE-2021-33336

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 through 7.3.3 Liferay DXP 7.1 fix pack 18 Liferay DXP 7.2 fix pack 5 through 7

Description A cross-site scripting (XSS) issue exists in the Journal module's add article menu, allowing remote attackers to inject arbitrary web script or HTML via the com liferay journal web portlet JournalPortlet name parameter. This enables attackers to execute malicious scripts on the client-side.

Recommendations For Liferay Portal versions 7.3.0 through 7.3.3, update to a version outside of this range to resolve the issue. For Liferay DXP 7.1 fix pack 18, consider upgrading to a newer fix pack to mitigate the risk. For Liferay DXP 7.2 fix pack 5 through 7, restrict access to the Journal module's add article menu until a patch is available. As a temporary workaround, consider disabling the com liferay journal web portlet JournalPortlet name parameter to minimize the risk of exploitation.