CVE-2021-29046: Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Por...
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.
Security readout for executives and security teams
Plain-English summary
This CVE is a cross-site scripting issue in Liferay’s Asset module category selector. A remote attacker could inject script or HTML through a category title parameter, potentially affecting users who view or manage that content. The source bundle does not provide CVSS scoring or evidence of active exploitation.
Executive priority
Treat this as a targeted remediation item for affected Liferay deployments. It is not KEV-listed in the provided data, but XSS in administrative content workflows can create account and content integrity risk.
Technical view
CVE-2021-29046 affects Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1. The vulnerable input is the AssetCategoriesAdminPortlet title parameter in the category selector field, allowing injected web script or HTML. Authentication requirements, privileges, and impact scope are not defined in the provided sources.
Likely exposure
Exposure is likely limited to organizations running Liferay Portal 7.3.5 or Liferay DXP 7.3 before fix pack 1, especially where Asset category administration is accessible to users or remotely reachable.
Exploitation context
The provided sources describe remote script or HTML injection but do not include exploit maturity, public exploit confirmation, or CISA KEV listing. Active exploitation is therefore not evidenced here.
Researcher notes
Key unknowns are authentication requirements, stored versus reflected behavior details, affected configuration breadth, and fixed version details for Portal 7.3.5. Validation should stay focused on the named parameter and affected Liferay versions from the sources.
Mitigation direction
Check Liferay’s advisory for affected builds and supported remediation guidance.
For Liferay DXP 7.3, plan upgrade to fix pack 1 or a vendor-supported successor.
Restrict access to Asset category administration until remediation is complete.
Review custom category workflows for untrusted input exposure.
Monitor Liferay security notices for any updated fixes or mitigations.
Validation and detection
Inventory Liferay Portal and DXP versions across internet-facing and internal systems.
Confirm whether any systems run Portal 7.3.5 or DXP 7.3 before fix pack 1.
Identify users and roles with access to Asset category management.
Review logs for unusual category title changes or unexpected script-like content.
Verify remediation status against Liferay’s advisory, not version naming alone.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-29046 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 17, 2021, 10:27 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.