A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
References
Link | Resource |
---|---|
http://liferay.com | Vendor Advisory |
https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory |
https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Oct 2022, 20:19
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:* cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:* |
|
First Time |
Liferay dxp
Liferay liferay Portal Liferay |
|
CWE | CWE-79 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
References | (MISC) https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ - Exploit, Third Party Advisory | |
References | (MISC) http://liferay.com - Vendor Advisory | |
References | (MISC) https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu - Third Party Advisory |
19 Oct 2022, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-10-19 02:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-38901
Mitre link : CVE-2022-38901
CVE.ORG link : CVE-2022-38901
JSON object : View
Products Affected
liferay
- dxp
- liferay_portal
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')