CVE-2022-38901Cross-site Scripting in DXP

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 45.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay DXPLiferay Portal
Timeline
PublishedOct 19

Description

A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDliferay/dxp7.07.3+2
NVDliferay/liferay_portal7.3.57.4.3.28

🔴Vulnerability Details

2
GHSA
GHSA-pq9f-jx2p-2xwc: A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 72022-10-19
CVEList
CVE-2022-38901: A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 72022-10-19
CVE-2022-38901 — Cross-site Scripting in Liferay DXP | cvebase