CSRF Token Exfiltration Vulnerability in Liferay Portal by Liferay
CVE-2022-25146

5.3MEDIUM

Key Information:

Vendor

Liferay
Status
Liferay Portal
Digital Experience Platform
Vendor
CVE Published:
3 March 2022

What is CVE-2022-25146?

The Remote App module in Liferay Portal has a vulnerability that fails to verify whether the source of incoming event messages corresponds to the originating Remote App. This oversight allows potential attackers to exfiltrate Cross-Site Request Forgery (CSRF) tokens through specially crafted event messages, potentially compromising user sessions and enabling unauthorized actions on behalf of legitimate users.

References

http://liferay.com
x_refsource_MISC
https://www.securitum.pl
x_refsource_MISC
https://portal.liferay.dev/learn/security/known-vulnerabi...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.