Vulnerability Description
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Digital Experience Platform | <= 7.4 |
| Liferay | Liferay Portal | >= 7.4.3.4, < 7.4.3.9 |
Related Weaknesses (CWE)
References
- http://liferay.comVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheVendor Advisory
- https://www.securitum.plNot ApplicableThird Party Advisory
- http://liferay.comVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheVendor Advisory
- https://www.securitum.plNot ApplicableThird Party Advisory
FAQ
What is CVE-2022-25146?
CVE-2022-25146 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of th...
How severe is CVE-2022-25146?
CVE-2022-25146 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25146?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Digital Experience Platform, Liferay Liferay Portal.