Advisories for Maven/Com.liferay/Com.liferay.asset.taglib package

2022

Liferay Portal and Liferay DXP Vulnerable to XSS via Tag Name

A cross-site scripting (XSS) vulnerability in Liferay Asset Taglib before v6.1.9 from Liferay Portal (v7.3.3 through v7.4.2) and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.

Liferay Portal and Liferay DXP allows arbitrary injection via the name of an asset category

Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector before 6.1.0 in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of an asset category.