Cross-Site Scripting Vulnerability in Liferay Digital Experience Platform
CVE-2022-38901

5.4MEDIUM

Key Information:

Vendor

Liferay
Status
Dxp
Liferay Portal
Vendor
CVE Published:
19 October 2022

What is CVE-2022-38901?

A cross-site scripting vulnerability exists within the Document and Media module of Liferay Digital Experience Platform, specifically in the file upload functionality. This flaw enables remote attackers to inject arbitrary JavaScript or HTML code into the description field of uploaded SVG files. Exploiting this vulnerability could allow an attacker to execute malicious scripts in the context of a user session, facilitating unauthorized actions or data exposure.

References

http://liferay.com
https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu
https://www.offensity.com/en/blog/authenticated-persisten...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.