CVE-2021-33337

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 through 7.3.4 Liferay DXP versions 7.1 before fix pack 20 Liferay DXP versions 7.2 before fix pack 9

Description A cross-site scripting (XSS) issue exists in the Document Library module's add document menu, allowing remote attackers to inject arbitrary web script or HTML via the com liferay document library web portlet DLAdminPortlet name parameter. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.3.0 through 7.3.4, update to a version after 7.3.4 to resolve the issue. For Liferay DXP version 7.1, apply fix pack 20 or later to address the vulnerability. For Liferay DXP version 7.2, apply fix pack 9 or later to mitigate the risk. As a temporary workaround, consider restricting access to the Document Library module's add document menu until a patch is applied.