CVE-2021-33332 — Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)

Description

Cross-site scripting (XSS) vulnerability in the Portlet Configuration module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet_portletResource parameter.

How to fix CVE-2021-33332

To remediate CVE-2021-33332, upgrade the affected package to a fixed version below.

—upgrade to 7.1.10.fp19 or later
—no fix listed

Is CVE-2021-33332 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.1.0, < 7.1.10.fp19
>= 7.1.0, <= 7.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33332
PATCHgithub.com/liferay/liferay-portal
WEBissues.liferay.com/browse/LPE-17053
WEBportal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748366