CVE-2021-29048
Description
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal 7.3.4/7.3.5 and DXP 7.2/7.3 contain a stored XSS via the Layout module's page name parameter, allowing arbitrary script injection.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Layout module's page administration page in Liferay Portal 7.3.4 and 7.3.5, and in Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1. The flaw is triggered via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter, which is not properly sanitized, allowing injection of arbitrary web script or HTML.[1][4]
Exploitation
An attacker with network access to the page administration interface can inject malicious script or HTML into the page name parameter. No special authentication is required beyond the ability to modify site page names, which may be available to users with appropriate permissions. The injected payload is stored and subsequently executed when other users visit the affected page administration page.[1][4]
Impact
Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This could lead to session hijacking, credential theft, or defacement of the administrative interface, depending on the victim's privileges.[1][4]
Mitigation
Liferay Portal 7.3 users should upgrade to version 7.3 CE GA7 (7.3.6) or later. Liferay DXP 7.2 users should apply fix pack 11, and DXP 7.3 users should apply fix pack 1. No patch is available for the specific 7.3.4 and 7.3.5 versions; upgrading is the recommended course of action.[4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.3.4, < 7.3.6 | 7.3.6 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp11 | 7.2.10.fp11 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.fp1 | 7.3.10.fp1 |
Affected products
5- Liferay/Portaldescription
- Range: 7.3.4, 7.3.5
- ghsa-coords2 versions
< 7.2.10.fp11+ 1 more
- (no CPE)range: < 7.2.10.fp11
- (no CPE)range: >= 7.3.4, < 7.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4fx8-82f3-xcpcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29048ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601ghsax_refsource_MISCWEB
- web.archive.org/web/20210524222536/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601ghsaWEB
News mentions
0No linked articles in our index yet.