CVE-2021-29049 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 48.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP

Timeline

PublishedJun 9

Latest updateMay 24

Description

Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDliferay/dxp7.3

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

Patches

Patch: issues.liferay.com ↗Patch: issues.liferay.com ↗

🔴Vulnerability Details

OSV

Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via the currentURL Parameter↗2022-05-24

▶

GHSA

Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via the currentURL Parameter↗2022-05-24

▶

CVEList

CVE-2021-29049: Cross-site scripting (XSS) vulnerability in the Portal Workflow module's edit process page in Liferay DXP 7↗2021-06-09

▶