CVE-2021-29039: Liferay Portal Vulnerable to Cross-Site Scripting (XSS) via Categories Admin Page

May 24, 2022 (updated May 14, 2025)

Cross-site scripting (XSS) vulnerability in the Asset module’s categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.

References

github.com/advisories/GHSA-239w-4f3w-cfcv
github.com/liferay/liferay-portal
nvd.nist.gov/vuln/detail/CVE-2021-29039
web.archive.org/web/20220828222833/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120777766

Code Behaviors & Features

Detect and mitigate CVE-2021-29039 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →