Vulnerability CVE-2022-25146

Vulnerability CVE-2022-25146

Published: 2022-03-03

Description:

The Remote App module in Liferay Portal through v7.4.3.8 and Liferay DXP through v7.4 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

Type:

CWE-346

(Origin Validation Error)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5/10	2.9/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	None	None

Affected software
Liferay -> Digital experience platform
Liferay -> Liferay portal

References:

https://www.securitum.pl

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps

http://liferay.com

Vulnerability CVE-2022-25146

The Remote App module in Liferay Portal through v7.4.3.8 and Liferay DXP through v7.4 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

CWE-346

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

5/10

2.9/10

10/10

Remote

Low

No required

Partial

None

None

Affected software

References: