Cross-Site Scripting Vulnerability in Liferay Digital Experience Platform
CVE-2022-38901
5.4MEDIUM
What is CVE-2022-38901?
A cross-site scripting vulnerability exists within the Document and Media module of Liferay Digital Experience Platform, specifically in the file upload functionality. This flaw enables remote attackers to inject arbitrary JavaScript or HTML code into the description field of uploaded SVG files. Exploiting this vulnerability could allow an attacker to execute malicious scripts in the context of a user session, facilitating unauthorized actions or data exposure.
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved