CVE-2022-26594 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 50.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal

Timeline

PublishedApr 15

Latest updateApr 16

Description

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDliferay/liferay_portal7.3.5 — 7.3.7+1

Patches

Patch: portal.liferay.dev ↗Patch: portal.liferay.dev ↗

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP allows arbitrary injection via form field↗2022-04-16

▶

OSV

Liferay Portal and Liferay DXP allows arbitrary injection via form field↗2022-04-16

▶

CVEList

CVE-2022-26594: Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7↗2022-04-15

▶