CVE-2021-38264

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.1

Description A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML into the management toolbar search. This is achieved via the keywords parameter. The issue stems from an incomplete fix.

Recommendations For Liferay Portal versions 7.4.0 and 7.4.1, avoid using the keywords parameter in the management toolbar search until a patch is available. As a temporary workaround, consider restricting access to the management toolbar to minimize the risk of exploitation.