CVE-2021-29039

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Asset module's categories administration page in Liferay Portal 7.3.4 [1][2][4]. The issue allows remote attackers to inject arbitrary web script or HTML via the site name field [1][4]. The vulnerability is specifically in the categories administration page of the Asset module, where the site name is not properly sanitized before being displayed [1][4]. Affected versions include Liferay Portal 7.3.4 [1][4].

Exploitation

An attacker needs network access to the Liferay Portal instance and sufficient permissions to access the Asset module's categories administration page [1][4]. The attacker can inject malicious script or HTML into the site name field, which is then stored and subsequently executed when the categories administration page is rendered for other users [1][4]. No user interaction beyond viewing the affected page is required for successful exploitation [1][4].

Impact

Successful exploitation allows an attacker to execute arbitrary web script or HTML in the context of the victim's browser session [1][4]. This can lead to information disclosure, session hijacking, or other malicious activities that the injected script can perform [1][4]. The impact is limited to the browser session of users who view the affected categories page [1][4].

Mitigation

Liferay Portal 7.3.4 has no patch available [4]. Users should upgrade to Liferay Portal CE 7.3 GA6 (7.3.5) or later to remediate the vulnerability [4]. No other workaround is disclosed in the available references [1][2][3][4].