Description
Multiple cross-site scripting (XSS) vulnerabilities in the fragment module in Liferay Portal 7.1.0 through 7.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_fragment_web_portlet_FragmentPortlet_htmlContent, (2) _com_liferay_fragment_web_portlet_FragmentPortlet_cssContent, or (3) _com_liferay_fragment_web_portlet_FragmentPortlet_jsContent parameter.
Severity
Severity 2
Fixed Version(s)
- Liferay Portal 7.3.3
- September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Mon, 31 Aug 2020 17:00:00 +0000