CVE-2022-25146

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.4 through 7.4.3.8 Liferay DXP 7.4 before update 5

Description The issue concerns the Remote App module, which fails to verify if the origin of received event messages matches the Remote App's origin. This allows attackers to potentially exfiltrate the CSRF token by sending a crafted event message.

Recommendations For Liferay Portal versions 7.4.3.4 through 7.4.3.8, update to a version outside of this range to resolve the issue. For Liferay DXP 7.4 before update 5, apply update 5 or later to fix the problem.