PT-2022-17947 · Liferay · Liferay Portal+1
Duy Huynh
·
Published
2022-04-15
·
Updated
2022-04-22
·
CVE-2022-26594
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.3.5 through 7.4.0
Liferay DXP versions 7.3 before service pack 3
Description
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a form field's help text to the Forms module's form builder or the App Builder module's object form view's form builder.
Recommendations
For Liferay Portal versions 7.3.5 through 7.4.0, consider disabling the form builder in the Forms module and the object form view's form builder in the App Builder module until a patch is available.
For Liferay DXP versions 7.3 before service pack 3, consider disabling the form builder in the Forms module and the object form view's form builder in the App Builder module until a patch is available.
Restrict access to the form field's help text in the affected modules to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal