CVE-2021-38265

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.4 through 7.3.6

Description A cross-site scripting (XSS) issue exists in the Asset module, allowing remote attackers to inject arbitrary web script or HTML when creating a collection page. This is achieved via the com liferay asset list web portlet AssetListPortlet title parameter.

Recommendations For Liferay Portal versions 7.3.4 through 7.3.6, consider restricting access to the Asset module until a patch is available. As a temporary workaround, avoid using the com liferay asset list web portlet AssetListPortlet title parameter in the affected API endpoint until the issue is resolved.