Description
The Remote App module in Liferay Portal through v7.4.3.8 and Liferay DXP through v7.4 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
Remediation
References
Related Vulnerabilities
MySQL CVE-2016-5440 Vulnerability (CVE-2016-5440)
WordPress Plugin FireStats Cross-Site Scripting (1.6.4)
WordPress Plugin Secure HTML5 Video Player Cross-Site Scripting (3.14)
MySQL CVE-2019-2681 Vulnerability (CVE-2019-2681)
OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3193)