{"id":"CVE-2021-33336","details":"Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortlet_name parameter.","aliases":["GHSA-fvg6-9r88-7w85"],"modified":"2026-03-14T01:58:38.030043Z","published":"2021-08-04T13:15:08.023Z","references":[{"type":"ADVISORY","url":"https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-33336-stored-xss-with-structure-name"},{"type":"FIX","url":"https://issues.liferay.com/browse/LPE-17078"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"0"},{"last_affected":"59148a8775a2b2345694a023683d95b478c483c6"},{"introduced":"0"},{"last_affected":"0ac7dd652f3cac9b7880e6dea92912b2d02dca3a"},{"introduced":"0"},{"last_affected":"a3f823cf755fcf3660cd6c2c334840e9596ced9e"},{"introduced":"b072f5df5544a28677824835b490ce8a867bf133"},{"fixed":"6d28f4266948e7b0eeb14c3e8d16b3d81e02e8bb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_1"},{"introduced":"0"},{"last_affected":"7.1-fix_pack_2"},{"introduced":"0"},{"last_affected":"7.1-fix_pack_3"},{"introduced":"7.3.0"},{"fixed":"7.3.4"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.1-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_11"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_12"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_13"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_14"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_15"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_16"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_17"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_8"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1-fix_pack_9"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2-fix_pack_5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2-fix_pack_6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2-fix_pack_7"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33336.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}