CVE-2021-29051 — Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in Asset

Description

Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.

How to fix CVE-2021-29051

To remediate CVE-2021-29051, upgrade the affected package to a fixed version below.

—upgrade to 7.1.10.fp21 or later
—upgrade to 7.3.6 or later

Is CVE-2021-29051 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.1.10.fp21
>= 7.2.1, < 7.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29051
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580