VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 2, 2022· Updated Aug 4, 2024

CVE-2021-38265

CVE-2021-38265

Description

Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Liferay Portal 7.3.4-7.3.6 Asset module allows remote attackers to inject arbitrary web script via collection page title parameter.

Vulnerability

Cross-site scripting (XSS) vulnerability in the Asset module of Liferay Portal versions 7.3.4 through 7.3.6. The flaw exists when creating a collection page; the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter is not sanitized before being stored and later rendered [1]. The commit [3] shows the fix adds HtmlUtil.escape() to the collection name.

Exploitation

An attacker with the ability to create collection pages (requires authenticated access with appropriate permissions) can inject arbitrary web script or HTML into the title parameter. When the collection page is viewed by other users, the injected script executes in their browser context. No user interaction beyond viewing the page is required.

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or theft of sensitive information. The attack is persistent as the malicious payload is stored in the collection name.

Mitigation

Liferay addressed this vulnerability in a commit [3] that escapes the collection name using HtmlUtil.escape(). The fix is included in Liferay Portal versions after 7.3.6. Users should upgrade to a patched version. The Liferay security advisory [4] provides details, though the page currently shows an error. No workaround is documented; upgrading is recommended.

References
  1. NVD - CVE-2021-38265
  2. LPS-129109 Escape collection name before replacing it · liferay/liferay-portal@ac82674
  3. CVE-2021-38265 Stored XSS with Collection name - Liferay

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.layout.admin.webMaven
< 5.0.05.0.0
com.liferay.portal:release.dxp.bomMaven
<= 7.3

Affected products

4

Patches

1
ac8267406785

LPS-129109 Escape collection name before replacing it

https://github.com/liferay/liferay-portalJürgen KapplerMar 18, 2021via ghsa
commit
1 file changed · +2 1
  • modules/apps/layout/layout-admin-web/src/main/java/com/liferay/layout/admin/web/internal/portlet/action/AddCollectionLayoutMVCActionCommand.java+2 1 modified
    @@ -40,6 +40,7 @@
 import com.liferay.portal.kernel.servlet.SessionErrors;
 import com.liferay.portal.kernel.theme.ThemeDisplay;
 import com.liferay.portal.kernel.util.HashMapBuilder;
+import com.liferay.portal.kernel.util.HtmlUtil;
 import com.liferay.portal.kernel.util.LocaleUtil;
 import com.liferay.portal.kernel.util.ParamUtil;
 import com.liferay.portal.kernel.util.Portal;
@@ -189,7 +190,7 @@ private String _getCollectionLayoutDefinitionJSON(
 		).put(
 			"CLASS_PK", classPK
 		).put(
-			"COLLECTION_NAME", assetListEntry.getTitle()
+			"COLLECTION_NAME", HtmlUtil.escape(assetListEntry.getTitle())
 		).build();
 
 		String collectionDefinition = StringUtil.read(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.