Medium severity5.4NVD Advisory· Published Mar 3, 2022· Updated Jun 17, 2026
CVE-2021-38267
CVE-2021-38267
Description
Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.3.2, < 7.3.7-ga8 | 7.3.7-ga8 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.fp2 | 7.3.10.fp2 |
com.liferay:com.liferay.frontend.js.webMaven | < 5.0.0 | 5.0.0 |
Affected products
5- osv-coords4 versionspkg:bitnami/liferaypkg:maven/com.liferay/com.liferay.frontend.js.webpkg:maven/com.liferay.portal/release.dxp.bompkg:maven/com.liferay.portal/release.portal.bom
< 7.3.0+ 3 more
- (no CPE)range: < 7.3.0
- (no CPE)range: < 5.0.0
- (no CPE)range: >= 7.3.0, < 7.3.10.fp2
- (no CPE)range: >= 7.3.2, < 7.3.7-ga8
Patches
Vulnerability mechanics
References
7- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entrynvdPatchVendor Advisory
- github.com/advisories/GHSA-r39x-3qq4-gxmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38267ghsaADVISORY
- liferay.comnvdProduct
- github.com/liferay/liferay-portal/commit/c3ad74d0664072c43da4d30a1d19be8cec3aa8bcghsaWEB
- liferay.atlassian.net/browse/LPE-17212ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2021-38267-stored-xss-with-title-and-subtitle-of-blog-entryghsaWEB
News mentions
0No linked articles in our index yet.