Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay Portal Origin Validation Error Vulnerability (CVE-2022-25146)

Description

The Remote App module in Liferay Portal through v7.4.3.8 and Liferay DXP through v7.4 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

Remediation

References

Related Vulnerabilities

MySQL CVE-2019-2802 Vulnerability (CVE-2019-2802)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-2364)

PHP Improper Input Validation Vulnerability (CVE-2011-1398)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-1000425)

WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Scripting (1.9.14)

Severity

Medium

Classification

CVE-2022-25146 CWE-346 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities