medium
6.1
CWE
79
Advisory Published
Updated

CVE-2022-26596: XSS

First published: Mon Apr 25 2022(Updated: )

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Liferay DXP=7.0
Liferay DXP=7.0-fix_pack_1
Liferay DXP=7.0-fix_pack_10
Liferay DXP=7.0-fix_pack_11
Liferay DXP=7.0-fix_pack_12
Liferay DXP=7.0-fix_pack_13
Liferay DXP=7.0-fix_pack_14
Liferay DXP=7.0-fix_pack_15
Liferay DXP=7.0-fix_pack_16
Liferay DXP=7.0-fix_pack_17
Liferay DXP=7.0-fix_pack_18
Liferay DXP=7.0-fix_pack_19
Liferay DXP=7.0-fix_pack_2
Liferay DXP=7.0-fix_pack_20
Liferay DXP=7.0-fix_pack_21
Liferay DXP=7.0-fix_pack_22
Liferay DXP=7.0-fix_pack_23
Liferay DXP=7.0-fix_pack_24
Liferay DXP=7.0-fix_pack_25
Liferay DXP=7.0-fix_pack_26
Liferay DXP=7.0-fix_pack_27
Liferay DXP=7.0-fix_pack_28
Liferay DXP=7.0-fix_pack_29
Liferay DXP=7.0-fix_pack_3
Liferay DXP=7.0-fix_pack_30
Liferay DXP=7.0-fix_pack_31
Liferay DXP=7.0-fix_pack_32
Liferay DXP=7.0-fix_pack_33
Liferay DXP=7.0-fix_pack_34
Liferay DXP=7.0-fix_pack_35
Liferay DXP=7.0-fix_pack_36
Liferay DXP=7.0-fix_pack_37
Liferay DXP=7.0-fix_pack_38
Liferay DXP=7.0-fix_pack_39
Liferay DXP=7.0-fix_pack_4
Liferay DXP=7.0-fix_pack_40
Liferay DXP=7.0-fix_pack_41
Liferay DXP=7.0-fix_pack_42
Liferay DXP=7.0-fix_pack_43
Liferay DXP=7.0-fix_pack_44
Liferay DXP=7.0-fix_pack_45
Liferay DXP=7.0-fix_pack_46
Liferay DXP=7.0-fix_pack_47
Liferay DXP=7.0-fix_pack_48
Liferay DXP=7.0-fix_pack_49
Liferay DXP=7.0-fix_pack_5
Liferay DXP=7.0-fix_pack_50
Liferay DXP=7.0-fix_pack_51
Liferay DXP=7.0-fix_pack_52
Liferay DXP=7.0-fix_pack_53
Liferay DXP=7.0-fix_pack_54
Liferay DXP=7.0-fix_pack_55
Liferay DXP=7.0-fix_pack_56
Liferay DXP=7.0-fix_pack_57
Liferay DXP=7.0-fix_pack_58
Liferay DXP=7.0-fix_pack_59
Liferay DXP=7.0-fix_pack_6
Liferay DXP=7.0-fix_pack_60
Liferay DXP=7.0-fix_pack_61
Liferay DXP=7.0-fix_pack_62
Liferay DXP=7.0-fix_pack_63
Liferay DXP=7.0-fix_pack_64
Liferay DXP=7.0-fix_pack_65
Liferay DXP=7.0-fix_pack_66
Liferay DXP=7.0-fix_pack_67
Liferay DXP=7.0-fix_pack_68
Liferay DXP=7.0-fix_pack_69
Liferay DXP=7.0-fix_pack_7
Liferay DXP=7.0-fix_pack_70
Liferay DXP=7.0-fix_pack_71
Liferay DXP=7.0-fix_pack_72
Liferay DXP=7.0-fix_pack_73
Liferay DXP=7.0-fix_pack_74
Liferay DXP=7.0-fix_pack_75
Liferay DXP=7.0-fix_pack_76
Liferay DXP=7.0-fix_pack_77
Liferay DXP=7.0-fix_pack_78
Liferay DXP=7.0-fix_pack_79
Liferay DXP=7.0-fix_pack_8
Liferay DXP=7.0-fix_pack_80
Liferay DXP=7.0-fix_pack_81
Liferay DXP=7.0-fix_pack_82
Liferay DXP=7.0-fix_pack_83
Liferay DXP=7.0-fix_pack_84
Liferay DXP=7.0-fix_pack_85
Liferay DXP=7.0-fix_pack_86
Liferay DXP=7.0-fix_pack_87
Liferay DXP=7.0-fix_pack_88
Liferay DXP=7.0-fix_pack_89
Liferay DXP=7.0-fix_pack_9
Liferay DXP=7.0-fix_pack_90
Liferay DXP=7.0-fix_pack_91
Liferay DXP=7.0-fix_pack_92
Liferay DXP=7.0-fix_pack_93
Liferay DXP=7.1
Liferay DXP=7.1-fix_pack_1
Liferay DXP=7.1-fix_pack_10
Liferay DXP=7.1-fix_pack_11
Liferay DXP=7.1-fix_pack_12
Liferay DXP=7.1-fix_pack_13
Liferay DXP=7.1-fix_pack_14
Liferay DXP=7.1-fix_pack_15
Liferay DXP=7.1-fix_pack_16
Liferay DXP=7.1-fix_pack_17
Liferay DXP=7.1-fix_pack_18
Liferay DXP=7.2
Liferay DXP=7.2-fix_pack_1
Liferay DXP=7.2-fix_pack_2
Liferay DXP=7.2-fix_pack_3
Liferay DXP=7.2-fix_pack_4
Liferay DXP=7.2-fix_pack_5
Liferay DXP=7.2-fix_pack_6
Liferay DXP=7.2-fix_pack_7
Liferay 7.4 GA>=7.1.0<=7.3.3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2022-26596?

    CVE-2022-26596 has a medium severity level due to its potential for cross-site scripting (XSS) attacks.

  • How do I fix CVE-2022-26596?

    To fix CVE-2022-26596, update Liferay Portal to version 7.3.3 or apply the relevant fix packs for versions 7.0, 7.1, and 7.2 as specified in the security advisory.

  • Which versions of Liferay are affected by CVE-2022-26596?

    CVE-2022-26596 affects Liferay Portal versions 7.1.0 through 7.3.3 and Liferay DXP 7.0 before fix pack 94.

  • Can CVE-2022-26596 be exploited remotely?

    Yes, CVE-2022-26596 can be exploited remotely by attackers to inject arbitrary web scripts or HTML.

  • What is the nature of the vulnerability in CVE-2022-26596?

    CVE-2022-26596 is a cross-site scripting (XSS) vulnerability that allows for the injection of scripts into web pages.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203