CVE-2021-38264

MEDIUM

Liferay Portal 7.4.0-7.4.1 - Reflected Cross-Site Scripting via Keywords Parameter

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463.

References (2)

Core 2

Core References

Product x_refsource_misc

http://liferay.com

Patch, Vendor Advisory x_refsource_misc

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search

Scores

CVSS v3 6.1

EPSS 0.0029

EPSS Percentile 52.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

com.liferay/com.liferay.frontend.taglib.clay 0 - 7.1.15Maven

liferay/liferay_portal 7.4.0

liferay/liferay_portal 7.4.1

Published Mar 03, 2022

Tracked Since Feb 18, 2026