CVE-2021-29044: 
Java vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in the Site module's membership request administration pages in Liferay Portal versions 7.0.0 through 7.3.5, and Liferay DXP versions 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1. The vulnerability was assigned CVE-2021-29044 and was publicly disclosed on May 17, 2021 (NVD).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through the comliferaysitemysiteswebportletMySitesPortlet_comments parameter. The severity of this vulnerability is rated as MEDIUM with a CVSS v3.1 Base Score of 6.1 and CVSS v2.0 Base Score of 4.3. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

If exploited, this vulnerability could allow attackers to inject malicious web scripts or HTML code that would execute in users' browsers when viewing affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD).

Users should upgrade to the following fixed versions: Liferay DXP 7.0 fix pack 97 or later, 7.1 fix pack 21 or later, 7.2 fix pack 10 or later, or 7.3 fix pack 1 or later. For Liferay Portal users, versions after 7.3.5 contain the fix (Liferay Advisory).