CVE-2022-26596 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 54.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform

Timeline

PublishedApr 25

Latest updateApr 26

Description

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDliferay/liferay_portal7.1.0 — 7.3.3

▶NVDliferay/digital_experience_platform7.0, 7.1, 7.2+2

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP allows arbitrary injection via web content template names↗2022-04-26

▶

GHSA

Liferay Portal and Liferay DXP allows arbitrary injection via web content template names↗2022-04-26

▶

CVEList

CVE-2022-26596: Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7↗2022-04-25

▶