First published: Mon May 17 2021(Updated: )
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.3 | |
Liferay Liferay Portal | =7.3.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The CVE ID of this vulnerability is CVE-2021-29046.
The severity of CVE-2021-29046 is medium (6.1).
The affected software versions are Liferay DXP 7.3 and Liferay Portal 7.3.5.
An attacker can exploit CVE-2021-29046 by injecting arbitrary web script or HTML through the category selector input field in the Asset module.
Yes, you can find more information about this vulnerability at the following references: [http://liferay.com](http://liferay.com) and [https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501](https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501).