CVE-2021-33326 — Liferay Portal and Liferay DXP Cross-site scripting (XSS) vulnerability in the F

Description

Cross-site scripting (XSS) vulnerability in the Frontend JS module before version 4.0.18, in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.

How to fix CVE-2021-33326

To remediate CVE-2021-33326, upgrade the affected package to a fixed version below.

—upgrade to 4.0.18 or later
—upgrade to 7.0.10.fp96 or later

Is CVE-2021-33326 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.18
>= 7.0.0, < 7.0.10.fp96

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33326
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/eb0590cea2d899f9e95bdb2e767466b8444aa573
WEBissues.liferay.com/browse/LPE-17093