Attacker Value
Low
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2021-33326

Disclosure Date: August 03, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Cross-site scripting (XSS) vulnerability in the Frontend JS module in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20 and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the title of a modal window.

Add Assessment

2
Ratings
  • Attacker Value
    Low
Technical Analysis

Additional information by the reporter at https://liferay.atlassian.net/browse/LPE-17093

Steps to reproduce

  1. Start vanilla 7.0.x/7.1x/7.2.x
  2. create a site team with title: <b onmouseover=alert(document.location)>Test</b>
  3. Click into the Team
  4. click + to add new member
  5. In the popup, hover onto ‘Test’ in the title: “Add New User to Test”

Actual result: XSS popup

Expected: no XSS

Reproduced on: (x) 7.0.x Commit: f0ea5eb8945bd8bd20736d6aff0a5a6e748f5051 (x) 7.2.x Commit: 774c13baf1149336f7011318c0766e1dd0c4270f|https://github.com/liferay/liferay-portal/commit/774c13baf1149336f7011318c0766e1dd0c4270f master private Commit: c379f2a0f2204cf2ded7688e367ef69d72919485

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • liferay

Products

  • dxp 7.0,
  • dxp 7.1,
  • dxp 7.2,
  • liferay portal

Additional Info

Technical Analysis