PT-2022-24615 · Liferay · Liferay Digital Experience Platform
Rafal Lykowski
·
Published
2022-10-13
·
Updated
2025-05-15
·
CVE-2022-38902
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Digital Experience Platform version 7.3.10 SP3
Description
A Cross-site scripting (XSS) issue in the Blog module's add new topic functionality allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topics.
Recommendations
For Liferay Digital Experience Platform version 7.3.10 SP3, consider restricting access to the Blog module's add new topic functionality until a fix is available. As a temporary workaround, restrict the ability to inject arbitrary JS script or HTML into the name field of newly created topics.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Digital Experience Platform