VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 2, 2022· Updated Aug 4, 2024

CVE-2021-38267

CVE-2021-38267

Description

Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Liferay Portal 7.3.2-7.3.6 and DXP 7.3 before fix pack 2 via unescaped blog entry title and subtitle parameters.

Vulnerability

A stored cross-site scripting vulnerability exists in the Blogs module's edit blog entry page. The _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameters are not sanitized before being rendered, allowing an attacker to inject arbitrary web script or HTML. This affects Liferay Portal versions 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 [1][3].

Exploitation

An attacker with the ability to create or edit blog entries can inject malicious script or HTML into the title or subtitle fields. The injected payload is stored on the server and executed in the context of any victim who views the affected blog entry page or the edit interface. No special network position is required beyond standard application access; the attacker must have permissions to submit blog content [1][3].

Impact

Successful exploitation leads to stored cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the victim's browser session. This can result in session theft, defacement, or redirection to malicious sites, all within the context of the Liferay application and the victim's privileges [1][3].

Mitigation

Liferay has addressed the vulnerability in commit c3ad74d0664072c43da4d30a1d19be8cec3aa8bc by using Liferay.Util.escapeHTML() on the input value [4]. Users of Liferay DXP 7.3 should apply fix pack 2 or later. Liferay Portal users should upgrade to version 7.3.7 or later. No workarounds are documented in the available references [1][3].

References
  1. NVD - CVE-2021-38267
  2. CVE-2021-38267 Stored XSS with title and subtitle of blog entry - Liferay
  3. LPS-128451 Escape content to avoid running embedded Js code · liferay/liferay-portal@c3ad74d

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay.portal:release.portal.bomMaven
>= 7.3.2, < 7.3.7-ga87.3.7-ga8
com.liferay.portal:release.dxp.bomMaven
>= 7.3.0, < 7.3.10.fp27.3.10.fp2
com.liferay:com.liferay.frontend.js.webMaven
< 5.0.05.0.0

Affected products

5

Patches

1
c3ad74d06640

LPS-128451 Escape content to avoid running embedded Js code

https://github.com/liferay/liferay-portalAdolfo PérezMar 1, 2021via ghsa
commit
1 file changed · +3 1
  • modules/apps/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/autosize/autosize.es.js+3 1 modified
    @@ -69,7 +69,9 @@ class AutoSize {
 			this.template.style.width = this.computedStyle.width;
 		}
 
-		this.template.innerHTML = inputElement.value + DEFAULT_APPEND_CONTENT;
+		this.template.innerHTML =
+			Liferay.Util.escapeHTML(inputElement.value) +
+			DEFAULT_APPEND_CONTENT;
 
 		inputElement.style.height = `${
 			this.template.scrollHeight < this.minHeight

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.