Medium severity6.1NVD Advisory· Published Mar 3, 2022· Updated Jun 17, 2026
CVE-2021-38263
CVE-2021-38263
Description
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.server.admin.webMaven | < 4.0.12 | 4.0.12 |
com.liferay.portal:release.dxp.bomMaven | <= 7.0 | — |
Affected products
4- osv-coords3 versionspkg:bitnami/liferaypkg:maven/com.liferay/com.liferay.server.admin.webpkg:maven/com.liferay.portal/release.dxp.bom
>= 7.0.0, <= 7.0.0+ 2 more
- (no CPE)range: >= 7.0.0, <= 7.0.0
- (no CPE)range: < 4.0.12
- (no CPE)range: <= 7.0
Patches
Vulnerability mechanics
References
8- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-pagenvdPatchVendor Advisory
- github.com/advisories/GHSA-ffmm-5ww2-g3q4ghsaADVISORY
- issues.liferay.com/browse/LPE-17061nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-38263ghsaADVISORY
- liferay.comnvdProductWEB
- github.com/liferay/liferay-portal/commit/1abb1bfc96242065f97c2828a02350ea2174f5f6ghsaWEB
- github.com/liferay/liferay-portal/commit/771d99805b7ca69fecfcf67be5e24f2c1af1d0bbghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38263-reflected-xss-with-script-pageghsaWEB
News mentions
0No linked articles in our index yet.