CVE-2021-29046 — Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via Asse

Description

Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.

How to fix CVE-2021-29046

To remediate CVE-2021-29046, upgrade the affected package to a fixed version below.

—upgrade to 7.3.10.fp1 or later
—no fix listed

Is CVE-2021-29046 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.3.10.fp0, < 7.3.10.fp1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29046
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743501