CVE-2021-33328
Description
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Liferay Portal Asset module edit vocabulary page allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
The asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, contains a reflected cross-site scripting vulnerability. The _com_liferay_journal_web_portlet_JournalPortlet_name and _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameters are not properly sanitized, allowing injection of arbitrary HTML or JavaScript [1].
Exploitation
An attacker can craft a malicious URL containing the XSS payload in one of the parameter values and trick a victim into clicking it. No authentication is required if the parameter is reflected directly; however, the attacker must socially engineer the victim to visit the crafted link [1].
Impact
Successful exploitation allows the attacker to execute arbitrary web script in the victim's browser within the context of the Liferay Portal application. This could lead to session hijacking, defacement, or sensitive data disclosure [1].
Mitigation
Upgrade to a fixed version: Liferay Portal 7.3.5 or later, Liferay DXP 7.0 fix pack 96, 7.1 fix pack 20, or 7.2 fix pack 9. No workarounds are documented; applying the latest patches is recommended [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.0.0, <= 7.3.4 | — |
com.liferay.portal:release.dxp.bomMaven | >= 7.0.10.fp0, < 7.0.10.fp96 | 7.0.10.fp96 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp20 | 7.1.10.fp20 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp9 | 7.2.10.fp9 |
Affected products
5- Liferay/Liferay Portaldescription
- Range: 7.0.0 through 7.3.4
- ghsa-coords2 versions
>= 7.0.10.fp0, < 7.0.10.fp96+ 1 more
- (no CPE)range: >= 7.0.10.fp0, < 7.0.10.fp96
- (no CPE)range: >= 7.0.0, <= 7.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vpvm-3wfw-5f5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33328ghsaADVISORY
- issues.liferay.com/browse/LPE-17100ghsax_refsource_CONFIRMWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747972ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.