First published: Wed Aug 04 2021(Updated: )
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.2 | |
Liferay DXP | =7.2-fix_pack_1 | |
Liferay DXP | =7.2-fix_pack_2 | |
Liferay DXP | =7.2-fix_pack_3 | |
Liferay DXP | =7.2-fix_pack_4 | |
Liferay DXP | =7.2-fix_pack_5 | |
Liferay DXP | =7.2-fix_pack_6 | |
Liferay DXP | =7.2-fix_pack_7 | |
Liferay DXP | =7.2-fix_pack_8 | |
Liferay Liferay Portal | >=7.2.1<7.3.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-33339 is a cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9, which allows remote attackers to inject arbitrary web script or HTML.
CVE-2021-33339 has a severity rating of 4.8 (medium).
The affected software for CVE-2021-33339 includes Liferay Portal 7.2.1 through 7.3.4 and Liferay DXP 7.2 before fix pack 9.
To fix CVE-2021-33339, update your Liferay software to version 7.2-fix_pack_9 or higher.
You can find more information about CVE-2021-33339 at the following references: [link1](https://issues.liferay.com/browse/LPE-17102) [link2](https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747934)