CVE-2021-38264: 
Java vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Frontend Taglib module of Liferay Portal versions 7.4.0 and 7.4.1. The vulnerability (CVE-2021-38264) was disclosed on January 24, 2022, and allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the keywords parameter. This vulnerability resulted from an incomplete fix of a previous vulnerability (CVE-2021-35463) (Liferay Advisory).

The vulnerability is classified as a reflected XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation). According to the CVSS 3.1 scoring system, it received a base score of 6.1 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network exploitable, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impact on confidentiality and integrity, and no impact on availability (NVD).

If successfully exploited, this vulnerability could allow attackers to inject malicious web scripts or HTML code through the management toolbar search functionality. This could potentially lead to the execution of arbitrary code in users' browsers, potentially compromising user sessions or leading to the theft of sensitive information (NVD).

The vulnerability was fixed in Liferay Portal version 7.4.2. Organizations using affected versions (7.4.0 and 7.4.1) should upgrade to version 7.4.2 or later to address this security issue (Liferay Advisory).