CVE-2022-25146

Published: Mar 3, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

Affected (2)

Products: Liferay: Digital Experience Platform, Liferay Portal

2 products

Digital Experience Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Up to 7.4
Liferay Liferay Portal	From 7.4.3.4 to 7.4.3.9

Related CWEs

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

References (6)

http://liferay.com

Source: cve@mitre.org

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps

Source: cve@mitre.org

Vendor Advisory

https://www.securitum.pl

Source: cve@mitre.org

Not ApplicableThird Party Advisory

http://liferay.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.securitum.pl

Source: af854a3a-2127-422b-91ae-364da2661108

Not ApplicableThird Party Advisory

Timeline

No history available yet.