CVE-2021-38269

MEDIUM

Liferay Portal 7.1.0-7.3.6 and 7.4.0 - Stored Cross-Site Scripting via Gogo Shell Command Output

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.

References (2)

Core 2

Core References

Product x_refsource_misc

http://liferay.com

Patch, Vendor Advisory x_refsource_misc

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38269-stored-xss-with-gogo-shell-output

Scores

CVSS v3 5.4

EPSS 0.0018

EPSS Percentile 38.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (7)

com.liferay/com.liferay.gogo.shell.web 0 - 5.0.2Maven

com.liferay.portal/release.dxp.bom 7.1.0 - 7.1.10.fp23Maven

liferay/digital_experience_platform 7.1 (24 CPE variants)

liferay/digital_experience_platform 7.2 (13 CPE variants)

liferay/digital_experience_platform 7.3 (2 CPE variants)

liferay/liferay_portal 7.4.0

liferay/liferay_portal 7.1.0 - 7.3.6

Published Mar 03, 2022

Tracked Since Feb 18, 2026