Liferay · Liferay Portal · CVE-2022-25146
**Name of the Vulnerable Software and Affected Versions**
Liferay Portal versions 7.4.3.4 through 7.4.3.8
Liferay DXP 7.4 before update 5
**Description**
The issue concerns the Remote App module, which fails to verify if the origin of received event messages matches the Remote App's origin. This allows attackers to potentially exfiltrate the CSRF token by sending a crafted event message.
**Recommendations**
For Liferay Portal versions 7.4.3.4 through 7.4.3.8, update to a version outside of this range to resolve the issue.
For Liferay DXP 7.4 before update 5, apply update 5 or later to fix the problem.