CVE-2021-38269
MEDIUMLiferay Portal 7.1.0-7.3.6 and 7.4.0 - Stored Cross-Site Scripting via Gogo Shell Command Output
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
References (2)
Core 2
Core References
Product x_refsource_misc
http://liferay.com
Scores
CVSS v3
5.4
EPSS
0.0057
EPSS Percentile
43.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (7)
com.liferay/com.liferay.gogo.shell.web
0 - 5.0.2Maven
com.liferay.portal/release.dxp.bom
7.1.0 - 7.1.10.fp23Maven
liferay/digital_experience_platform
7.1 (24 CPE variants)
liferay/digital_experience_platform
7.2 (13 CPE variants)
liferay/digital_experience_platform
7.3 (2 CPE variants)
liferay/liferay_portal
7.4.0
liferay/liferay_portal
7.1.0 - 7.3.6
Published
Mar 03, 2022
Tracked Since
Feb 18, 2026