CVE-2021-29048

MEDIUM

Liferay Portal 7.3.4-7.3.5 and DXP < 7.2.10.fp11 - Cross-Site Scripting via GroupPagesPortlet Name Parameter

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

http://liferay.com

Vendor Advisory x_refsource_misc

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601

Scores

CVSS v3 6.1

EPSS 0.0047

EPSS Percentile 65.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (6)

com.liferay.portal/release.dxp.bom 0 - 7.2.10.fp11Maven

com.liferay.portal/release.portal.bom 7.3.4 - 7.3.6Maven

liferay/digital_experience_platform 7.2 (11 CPE variants)

liferay/dxp 7.3

liferay/liferay_portal 7.3.4

liferay/liferay_portal 7.3.5

Published May 17, 2021

Tracked Since Feb 18, 2026