CVE-2020-7934: Liferay Portal Vulnerable to Persistent Cross-Site Scripting (XSS) in MyAccountPortlet

May 24, 2022 (updated April 28, 2025)

In LifeRay Portal CE 7.1.0 through 7.2.1, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results).

References

github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934
github.com/advisories/GHSA-f99h-h678-fgg4
github.com/liferay/liferay-portal
nvd.nist.gov/vuln/detail/CVE-2020-7934
web.archive.org/web/20200808034429/https://semanticbits.com/liferay-portal-authenticated-xss-disclosure

Code Behaviors & Features

Detect and mitigate CVE-2020-7934 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →