CVE-2021-33339 in Liferay
Summary
by MITRE • 08/04/2021
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/14/2025
The vulnerability identified as CVE-2021-33339 represents a critical cross-site scripting flaw within the Fragment module of Liferay Portal and Liferay DXP platforms. This security weakness affects versions ranging from Liferay Portal 7.2.1 through 7.3.4 and Liferay DXP 7.2 before fix pack 9, creating a significant attack surface for malicious actors seeking to compromise web applications. The vulnerability specifically resides in the SiteAdminPortlet component where user input is not properly sanitized before being rendered back to users, enabling attackers to execute arbitrary web scripts or HTML code within the context of other users' browsers.
The technical exploitation of this vulnerability occurs through manipulation of the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter, which serves as an entry point for injecting malicious payloads. When an attacker crafts a specially formatted input string containing script tags or other malicious HTML content and submits it through this parameter, the vulnerable application fails to adequately validate or escape the input before processing it. This allows the malicious code to be stored and subsequently executed when other users view the affected page, creating a persistent XSS vector that can be leveraged for various malicious purposes including session hijacking, credential theft, or redirection to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to establish persistent footholds within affected environments. According to CWE-79 classification, this represents a classic cross-site scripting weakness that allows attackers to inject client-side scripts into web pages viewed by other users. The ATT&CK framework categorizes this as a web application vulnerability that can be leveraged for initial access and privilege escalation within the target environment. The vulnerability's presence in the Fragment module suggests that it may affect content management capabilities, potentially allowing attackers to modify or replace legitimate content with malicious alternatives that can propagate to multiple users.
Organizations utilizing affected Liferay versions face substantial risk from this vulnerability, as it can be exploited remotely without requiring authentication or specific user interaction beyond visiting a compromised page. The attack vector's simplicity makes it particularly dangerous in environments where users may inadvertently click on malicious links or visit compromised websites. Security teams should prioritize immediate remediation through official patch releases or workaround implementations, as the vulnerability can be exploited to gain unauthorized access to user sessions and potentially escalate privileges within the application environment. The affected parameter's location within the SiteAdminPortlet suggests that it may be accessible through various administrative functions, increasing the potential attack surface and impact scope for this particular vulnerability.