QID 731110
Date Published: 2024-01-30
QID 731110: Liferay Portal Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2022-38902)
Liferay Portal is an open-source enterprise web platform for building business solutions and collaborative applications.
A Cross-site scripting (XSS) vulnerability in the Document Library module in Liferay Portal allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an SVG file's 'Description' text field.
Affected Versions:
Liferay Portal 7.3.5 - 7.3.7
Liferay Portal 7.4.0 - 7.4.3.28
QID Detection Logic (Unauthenticated):
This QID checks for vulnerable version of Liferay Portal in response banner.
Successful exploitation of this vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an SVG file's 'Description' text field.
Solution
Vendor has released patch. For more info, please refer to Liferay Portal Security Advisory
Vendor References
CVEs related to QID 731110
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| CVE-2022-38902 |
|