CVE-2021-33328: 
Java vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability was discovered in the Asset module's edit vocabulary page in Liferay Portal versions 7.0.0 through 7.3.4, and Liferay DXP versions 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9. The vulnerability was assigned CVE-2021-33328 and was publicly disclosed on August 3, 2021 (NVD).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through two specific parameters: (1) comliferayjournalwebportletJournalPortletname and (2) comliferaydocumentlibrarywebportletDLAdminPortlet_name. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and a CVSS v2.0 base score of 3.5 (LOW) (NVD).

If exploited, this vulnerability could allow attackers to inject and execute malicious web scripts or HTML code in the context of other users' browsers who access the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD).

Users should upgrade to the following versions based on their installation: Liferay DXP 7.0 fix pack 96 or later, 7.1 fix pack 20 or later, or 7.2 fix pack 9 or later. For Liferay Portal users, versions after 7.3.4 contain the fix (Liferay Issue).