DATABASE RESOURCES PRICING ABOUT US

{"id": "LIFERAY_7_3_6_CVE-2021-29048.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Liferay Portal 7.3.4 < 7.3.6 XSS", "description": "Liferay Portal from 7.3.4 and prior to 7.3.6 is affected by a stored cross-site scripting vulnerability in the Layout module's page administration page that allows remote attackers to inject arbitrary web script or HTML via the\n_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2021-07-13T00:00:00", "modified": "2022-04-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {}, "cvss3": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "href": "https://www.tenable.com/plugins/nessus/151577", "reporter": "This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?e367c251", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29048"], "cvelist": ["CVE-2021-29048"], "immutableFields": [], "lastseen": "2022-04-11T21:21:41", "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-29048"]}]}, "score": {"value": 4.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-29048"]}, {"type": "nessus", "idList": ["LIFERAY_DETECT.NASL"]}]}, "exploitation": null, "vulnersScore": 4.6}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "pluginID": "151577", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151577);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-29048\");\n script_xref(name:\"IAVA\", value:\"2021-A-0296\");\n\n script_name(english:\"Liferay Portal 7.3.4 < 7.3.6 XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on a remote web server host is affected by a cross-site scripting vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"Liferay Portal from 7.3.4 and prior to 7.3.6 is affected by a stored cross-site scripting vulnerability in the Layout\nmodule's page administration page that allows remote attackers to inject arbitrary web script or HTML via the\n_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120743601\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e367c251\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Liferay Portal 7.3 CE GA7 (7.3.6) or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-29048\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:liferay:liferay_portal\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"liferay_detect.nasl\");\n script_require_keys(\"installed_sw/liferay_portal\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app = 'liferay_portal';\nvar port = get_http_port(default:8080);\n\nvar app_info = vcf::get_app_info(app:app, webapp:TRUE, port:port);\n\nvar constraints = [\n { 'min_version' : '7.3.4', 'fixed_version' : '7.3.6' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{'xss':TRUE});\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:liferay:liferay_portal"], "solution": "Upgrade to Liferay Portal 7.3 CE GA7 (7.3.6) or later", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2021-29048", "vpr": {"risk factor": "Low", "score": "3"}, "exploitAvailable": false, "exploitEase": "No known exploits are available", "patchPublicationDate": "2021-03-31T00:00:00", "vulnerabilityPublicationDate": "2021-05-10T00:00:00", "exploitableWith": []}

{"cve": [{"lastseen": "2022-03-23T16:45:57", "description": "Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-05-17T12:15:00", "type": "cve", "title": "CVE-2021-29048", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29048"], "modified": "2021-05-25T13:07:00", "cpe": ["cpe:/a:liferay:liferay_portal:7.3.5", "cpe:/a:liferay:dxp:7.3", "cpe:/a:liferay:dxp:7.2", "cpe:/a:liferay:liferay_portal:7.3.4"], "id": "CVE-2021-29048", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29048", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*", "cpe:2.3:a:liferay:liferay_portal:7.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*", "cpe:2.3:a:liferay:liferay_portal:7.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*"]}]}