CVE-2021-33339

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.1 through 7.3.4 Liferay DXP 7.2 before fix pack 9

Description A cross-site scripting (XSS) issue in the Fragment module allows remote attackers to inject arbitrary web script or HTML via the com liferay site admin web portlet SiteAdminPortlet name parameter. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.2.1 through 7.3.4, update to a version outside of this range or apply the necessary fix. For Liferay DXP 7.2, apply fix pack 9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Fragment module until a patch is available. Avoid using the com liferay site admin web portlet SiteAdminPortlet name parameter in affected API endpoints until the issue is resolved.