CVE-2021-29048

moderate-risk
Published 2021-05-17

Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.

Do I need to act?

-
0.47% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (14)

Dxp

Affected Vendors

Liferay

References (4)

Vendor Advisory http://liferay.com
Vendor Advisory https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...
Vendor Advisory http://liferay.com
Vendor Advisory https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...
43
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 2/34 · Minimal
Exposure 18/34 · Moderate