CVE-2019-16147
Description
Liferay Portal through 7.2.0 GA1 is vulnerable to stored XSS via a journal article title due to insufficient escaping.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal through 7.2.0 GA1 is vulnerable to stored XSS via a journal article title due to insufficient escaping.
Vulnerability
Description CVE-2019-16147 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal up to version 7.2.0 GA1. The root cause is that the journal_article/page.jsp in the journal-taglib module does not properly escape the journal article title when rendering it on the page. [2] The commit fixing this issue adds HtmlUtil.escape() to the title output, indicating that the title was previously rendered without HTML encoding. [3]
Exploitation
An attacker with the ability to create or edit journal articles can inject malicious JavaScript into the article title. When other users view the article, the injected script executes in their browser. No special privileges beyond those required to create or edit articles are needed, as the vulnerability affects the display of the title for all viewers. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack does not require user interaction beyond viewing the compromised article.
Mitigation
The vulnerability is fixed in versions after 7.2.0 GA1. Users should upgrade to a patched release. The fix was implemented in commit 7e063aed70f947a92bb43a4471e0c4e650fe8f7f, which escapes the article title using HtmlUtil.escape(). [3] No workaround is available beyond upgrading.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.journal.taglibMaven | < 3.0.4 | 3.0.4 |
Affected products
2- Liferay/Liferay Portaldescription
Patches
17e063aed70f9LPS-100758 Escape journal article title to avoid potential XSS
1 file changed · +1 −1
modules/apps/journal/journal-taglib/src/main/resources/META-INF/resources/journal_article/page.jsp+1 −1 modified@@ -26,7 +26,7 @@ String wrapperCssClass = (String)request.getAttribute("liferay-journal:journal-a <div class="journal-content-article <%= Validator.isNotNull(wrapperCssClass) ? wrapperCssClass : StringPool.BLANK %>" data-analytics-asset-id="<%= articleDisplay.getArticleId() %>" data-analytics-asset-title="<%= HtmlUtil.escapeAttribute(articleDisplay.getTitle()) %>" data-analytics-asset-type="web-content"> <c:if test="<%= showTitle %>"> - <%= articleDisplay.getTitle() %> + <%= HtmlUtil.escape(articleDisplay.getTitle()) %> </c:if> <%= articleDisplay.getContent() %>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-m2gx-7pvx-3gvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16147ghsaADVISORY
- github.com/liferay/liferay-portal/commit/7e063aed70f947a92bb43a4471e0c4e650fe8f7fghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.