CVE-2021-29049: Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via the currentURL Parameter

May 24, 2022 (updated May 14, 2025)

Cross-site scripting (XSS) vulnerability in the Portal Workflow module’s edit process page in Liferay DXP 7.0 before fix pack 99, 7.1 before fix pack 23, 7.2 before fix pack 12 and 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.

References

github.com/advisories/GHSA-w28v-87g6-cjr6
github.com/liferay/liferay-portal
issues.liferay.com/browse/LPE-17211
nvd.nist.gov/vuln/detail/CVE-2021-29049

Code Behaviors & Features

Detect and mitigate CVE-2021-29049 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →