Skip to main content

Liferay Portal CVE-2022-26594

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2022-04-15 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 15, 2022 - 16:15 nvd
MEDIUM 6.1

DescriptionNVD

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.

AnalysisAI

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder. Affected products include: Liferay Liferay Portal. Version information: through 7.4.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2020-7961 CRITICAL POC
9.8 Mar 20

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary c

CVE-2025-4388 MEDIUM POC
6.9 May 06

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024

CVE-2019-16891 CRITICAL POC
9.8 Oct 04

Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. Rated critical sev

CVE-2020-13445 HIGH POC
8.8 Jun 10

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6

CVE-2018-10795 HIGH POC
8.8 May 07

Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous

CVE-2016-3670 MEDIUM POC
6.1 Jun 13

Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1

CVE-2019-11444 HIGH POC
7.2 Apr 22

An issue was discovered in Liferay Portal CE 7.1.2 GA3. Rated high severity (CVSS 7.2), this vulnerability is remotely e

CVE-2025-4576 MEDIUM POC
6.9 Aug 08

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025

CVE-2022-42118 MEDIUM POC
6.1 Nov 15

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Lifera

CVE-2017-17868 MEDIUM POC
6.1 Dec 27

In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_

CVE-2024-25608 MEDIUM POC
6.1 Feb 20

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 be

CVE-2022-42120 CRITICAL
9.8 Nov 15

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 befor

Share

CVE-2022-26594 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy