PT-2022-24614 · Liferay · Liferay Digital Experience Platform
Rafal Lykowski
·
Published
2022-10-19
·
Updated
2025-05-09
·
CVE-2022-38901
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Digital Experience Platform version 7.3.10 SP3
Description
A Cross-site scripting (XSS) issue exists in the file upload functionality of the Document and Media module, allowing remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg files.
Recommendations
For Liferay Digital Experience Platform version 7.3.10 SP3, consider restricting access to the file upload functionality in the Document and Media module until a fix is available, and avoid using the description field for uploaded svg files to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Digital Experience Platform