CVE-2022-38902 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 54.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP

Timeline

PublishedOct 13

Description

A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.0 — 7.4.0

▶NVDliferay/dxp7.3

Patches

Patch: www.offensity.com ↗Patch: www.offensity.com ↗

🔴Vulnerability Details

CVEList

CVE-2022-38902: A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7↗2022-10-13

▶

GHSA

GHSA-gw4h-jpvh-jq27: A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7↗2022-10-13

▶