CVE-2021-29049
MEDIUMLiferay DXP 7.0-7.3 - Cross-Site Scripting via Portal Workflow Edit Process Page currentURL Parameter
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
http://liferay.com
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17211
Scores
CVSS v3
6.1
EPSS
0.0028
EPSS Percentile
51.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
com.liferay.portal/release.dxp.bom
7.0 - 7.0.10.fp99Maven
liferay/digital_experience_platform
7.0 (49 CPE variants)
Published
Jun 09, 2021
Tracked Since
Feb 18, 2026