CVE-2021-33328
MEDIUMLiferay Digital Experience Platform 7.0.0-7.3.4 - Cross-Site Scripting via Asset Module Vocabulary Parameters
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17100
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
34.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
com.liferay.portal/release.dxp.bom
7.0.10.fp0 - 7.0.10.fp96Maven
com.liferay.portal/release.portal.bom
7.0.0Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026