CVE-2021-38267

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.3.6 Liferay DXP 7.3 before fix pack 2

Description A cross-site scripting (XSS) issue exists in the Blogs module's edit blog entry page, allowing remote attackers to inject arbitrary web script or HTML via the com liferay blogs web portlet BlogsAdminPortlet title and com liferay blogs web portlet BlogsAdminPortlet subtitle parameters.

Recommendations For Liferay Portal versions 7.3.2 through 7.3.6, update to a version outside of this range to resolve the issue. For Liferay DXP 7.3 before fix pack 2, apply fix pack 2 or later to address the vulnerability. As a temporary workaround, consider restricting access to the Blogs module's edit blog entry page until a patch is available. Avoid using the com liferay blogs web portlet BlogsAdminPortlet title and com liferay blogs web portlet BlogsAdminPortlet subtitle parameters in the affected API endpoint until the issue is resolved.