Liferay Frontend Taglib Clay is vulnerable to cross-site scripting. The vulnerability exists in processStartTag
function of ManagementToolbarTag.java
because the keyword in the search function is not escaped which allows an attacker to inject and execute arbitrary javascript.
CPE | Name | Operator | Version |
---|---|---|---|
com.liferay.frontend.taglib.clay | le | 7.1.9 | |
com.liferay.frontend.taglib.clay | le | 7.1.9 |
liferay.com
github.com/advisories/GHSA-ffmm-5ww2-g3q4
github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patch
github.com/liferay/liferay-portal/commit/751a70e0ed7b380ea2ab510ff79ddb33ed87dd9b
issues.liferay.com/browse/LPE-17061
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38263-reflected-xss-with-script-page