QID 731111
Date Published: 2024-01-30
QID 731111: Liferay Portal Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2022-38901)
Liferay Portal is an open-source enterprise web platform for building business solutions and collaborative applications.
A Cross-site scripting (XSS) vulnerability in the Document and Media module's file upload functionality in Liferay allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded SVG files.
Affected Versions:
Liferay Portal 7.3.0 - 7.3.7
Liferay Portal 7.4.0 - 7.4.2
QID Detection Logic (Unauthenticated):
This QID checks for vulnerable version of Liferay Portal in response banner.
Successful exploitation of this vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the 'Name' text field of a category.
Solution
Vendor has released patch. For more info, please refer to Liferay Portal Security Advisory
Vendor References
CVEs related to QID 731111
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| CVE-2022-38901 |
|