CVE-2021-29046 — Cross-site Scripting in DXP

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.5%

top 35.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal

Timeline

PublishedMay 17

Latest updateMay 24

Description

Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.5

▶NVDliferay/dxp7.3

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via Asset Module Parameter↗2022-05-24

▶

OSV

Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via Asset Module Parameter↗2022-05-24

▶

CVEList

CVE-2021-29046: Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7↗2021-05-17

▶