WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay Portal Origin Validation Error Vulnerability (CVE-2022-25146)

Description

The Remote App module in Liferay Portal through v7.4.3.8 and Liferay DXP through v7.4 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

Remediation

References

Related Vulnerabilities

MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-36129)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5478)

XWiki Improper Handling of Exceptional Conditions Vulnerability (CVE-2023-29520)

WordPress Plugin WP Dev Powers:ACF Color Coded Field Types Security Bypass (1.0)

WordPress Plugin MW WP Form Cross-Site Scripting (1.7.1)

Severity

Medium

Classification

CVE-2022-25146 CWE-346 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities