Liferay Frontend Taglib Clay is vulnerable to cross-site scripting. The vulnerability exists in the processStartTag
function of ManagementToolbarTag.java
because the keyword parameter of the search function is not properly escaped, which allows an attacker to inject and execute arbitrary web scripts.
CPE | Name | Operator | Version |
---|---|---|---|
com.liferay.frontend.taglib.clay | le | 7.1.14 | |
com.liferay.frontend.taglib.clay | le | 7.1.14 |
liferay.com
github.com/advisories/GHSA-9536-m86r-q297
github.com/liferay/liferay-portal/commit/f5df5cbfdc8254b2388fa445e62ec1efebe3547f
issues.liferay.com/browse/LPS-134654
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38264-reflected-xss-with-keywords-in-search