Description
Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747869
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17093
Scores
CVSS v3
6.1
EPSS
0.0042
EPSS Percentile
62.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
com.liferay/com.liferay.frontend.js.aui.web
0 - 4.0.18Maven
com.liferay.portal/release.dxp.bom
7.0.0 - 7.0.10.fp96Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026