CVE-2022-26596: Liferay Portal and Liferay DXP allows arbitrary injection via web content template names
(updated )
Cross-site scripting (XSS) vulnerability in Journal module’s web content display configuration page before 5.0.15 in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.
References
- github.com/advisories/GHSA-w7f2-6896-6mm2
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/c61976fc867f3add8eb429b99380e91f021f9313
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-26596-stored-xss-with-template-name?p_r_p_assetEntryId=121612108&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612108%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
- nvd.nist.gov/vuln/detail/CVE-2022-26596
Code Behaviors & Features
Detect and mitigate CVE-2022-26596 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →