CVE-2022-25146

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-03-03 00:15

Updated : 2024-02-28 19:09


NVD link : CVE-2022-25146

Mitre link : CVE-2022-25146

CVE.ORG link : CVE-2022-25146


JSON object : View

Products Affected

liferay

  • liferay_portal
  • digital_experience_platform
CWE
CWE-346

Origin Validation Error