First published: Mon May 17 2021(Updated: )
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.2 | |
Liferay DXP | =7.2-fix_pack_1 | |
Liferay DXP | =7.2-fix_pack_10 | |
Liferay DXP | =7.2-fix_pack_2 | |
Liferay DXP | =7.2-fix_pack_3 | |
Liferay DXP | =7.2-fix_pack_4 | |
Liferay DXP | =7.2-fix_pack_5 | |
Liferay DXP | =7.2-fix_pack_6 | |
Liferay DXP | =7.2-fix_pack_7 | |
Liferay DXP | =7.2-fix_pack_8 | |
Liferay DXP | =7.2-fix_pack_9 | |
Liferay DXP | =7.3 | |
Liferay Liferay Portal | =7.3.4 | |
Liferay Liferay Portal | =7.3.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-29048 is a cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5, and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1.
CVE-2021-29048 allows remote attackers to inject arbitrary web script or HTML into the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5, and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1.
CVE-2021-29048 has a severity score of 6.1 (Medium).
To fix CVE-2021-29048, upgrade to Liferay Portal 7.3.4 or 7.3.5 or Liferay DXP 7.2 fix pack 11, or Liferay DXP 7.3 fix pack 1.
More information about CVE-2021-29048 can be found at the following sources: [Liferay Official Website](http://liferay.com) and [Liferay Portal Security Advisory](https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601)