Description
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.
References (3)
Core 3
Core References
Product x_refsource_misc
http://liferay.com
Patch, Vendor Advisory x_refsource_misc
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page
Issue Tracking, Vendor Advisory x_refsource_misc
https://issues.liferay.com/browse/LPE-17061
Scores
CVSS v3
6.1
EPSS
0.0053
EPSS Percentile
67.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
com.liferay/com.liferay.server.admin.web
0 - 4.0.12Maven
com.liferay.portal/release.dxp.bom
0Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Mar 03, 2022
Tracked Since
Feb 18, 2026