CVE-2021-29051
Description
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Liferay Portal 7.2.1-7.3.5 and DXP 7.1-7.3 via assetEntryId parameter in Asset Publisher portlet.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the Asset Publisher app of Liferay Portal versions 7.2.1 through 7.3.5, and in Liferay DXP versions 7.1 before fix pack 21, 7.2 before fix pack 10, and 7.3 before fix pack 1 [1][3]. The flaw resides in the handling of the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter, which is not properly sanitized before being reflected back to the user [1]. No special configuration is required; the vulnerable code path is reachable by default in the Asset Publisher portlet.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the assetEntryId parameter and tricking a victim into clicking it [1]. No authentication or prior access is needed; the attack is performed remotely over HTTP/HTTPS. The victim's browser will execute the injected script in the context of the Liferay portal session, allowing the attacker to perform actions such as stealing session cookies or defacing the page.
Impact
Successful exploitation allows an unauthenticated remote attacker to inject arbitrary web script or HTML into the victim's browser session [1]. This can lead to session hijacking, credential theft, or other client-side attacks that compromise the confidentiality and integrity of the user's interaction with the portal. The attacker gains the same privileges as the victim within the Liferay application.
Mitigation
Liferay has released fixes for the affected versions: upgrade Liferay Portal to 7.3.6 (CE GA7) or later; for Liferay DXP, apply fix pack 21 for 7.1, fix pack 10 for 7.2, or fix pack 1 for 7.3 [3]. For Liferay Portal 7.2.1 and later, a source patch is available on GitHub [3]. No workaround is documented; upgrading or applying the patch is the recommended mitigation. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.1, < 7.3.6 | 7.3.6 |
com.liferay.portal:release.dxp.bomMaven | < 7.1.10.fp21 | 7.1.10.fp21 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp10 | 7.2.10.fp10 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.fp1 | 7.3.10.fp1 |
Affected products
5- Liferay/Portaldescription
- Range: >=7.2.1 <=7.3.5
- ghsa-coords2 versions
< 7.1.10.fp21+ 1 more
- (no CPE)range: < 7.1.10.fp21
- (no CPE)range: >= 7.2.1, < 7.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jvvx-8g42-9559ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29051ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580ghsax_refsource_MISCWEB
- web.archive.org/web/20210524223247/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743580ghsaWEB
News mentions
0No linked articles in our index yet.