Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the comliferaysiteadminwebportletSiteAdminPortletname parameter.
{
"unresolved_ranges": [
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:*",
"cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:*"
],
"vendor_product": "liferay:digital_experience_platform",
"extracted_events": [
{
"introduced": "7.2-NA"
},
{
"last_affected": "7.2-NA"
},
{
"introduced": "7.2-fix_pack_1"
},
{
"last_affected": "7.2-fix_pack_1"
},
{
"introduced": "7.2-fix_pack_2"
},
{
"last_affected": "7.2-fix_pack_2"
},
{
"introduced": "7.2-fix_pack_3"
},
{
"last_affected": "7.2-fix_pack_3"
},
{
"introduced": "7.2-fix_pack_4"
},
{
"last_affected": "7.2-fix_pack_4"
},
{
"introduced": "7.2-fix_pack_5"
},
{
"last_affected": "7.2-fix_pack_5"
},
{
"introduced": "7.2-fix_pack_6"
},
{
"last_affected": "7.2-fix_pack_6"
},
{
"introduced": "7.2-fix_pack_7"
},
{
"last_affected": "7.2-fix_pack_7"
},
{
"introduced": "7.2-fix_pack_8"
},
{
"last_affected": "7.2-fix_pack_8"
}
]
}
]
}