Cross-site Scripting Vulnerability in Liferay Portal by Liferay
CVE-2021-38265

5.4MEDIUM

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 3 March 2022

What is CVE-2021-38265?

The Asset module in Liferay Portal versions 7.3.4 through 7.3.6 is susceptible to a cross-site scripting (XSS) vulnerability. This flaw enables remote attackers to craft and inject arbitrary web scripts or HTML content by exploiting the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter when a collection page is created. Such vulnerabilities can lead to unauthorized access and manipulation of user data, posing significant risks to the integrity of the affected systems and their users.

References

http://liferay.com

x_refsource_MISC

https://portal.liferay.dev/learn/security/known-vulnerabi...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2022
Vulnerability Reserved
Aug 9, 2021