CVE-2022-38901: XSS
First published: Wed Oct 19 2022(Updated: )
A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Liferay 7.4 GA | >=7.0<7.3 | |
| Liferay 7.4 GA | =7.3 | |
| Liferay 7.4 GA | =7.3-update_1 | |
| Liferay 7.4 GA | =7.3-update_2 | |
| Liferay 7.4 GA | =7.3-update_3 | |
| Liferay 7.4 GA | =7.3-update_4 | |
| Liferay 7.4 GA | =7.3-update_5 | |
| Liferay 7.4 GA | =7.4-update_1 | |
| Liferay 7.4 GA | =7.4-update_10 | |
| Liferay 7.4 GA | =7.4-update_11 | |
| Liferay 7.4 GA | =7.4-update_12 | |
| Liferay 7.4 GA | =7.4-update_13 | |
| Liferay 7.4 GA | =7.4-update_14 | |
| Liferay 7.4 GA | =7.4-update_15 | |
| Liferay 7.4 GA | =7.4-update_16 | |
| Liferay 7.4 GA | =7.4-update_17 | |
| Liferay 7.4 GA | =7.4-update_18 | |
| Liferay 7.4 GA | =7.4-update_19 | |
| Liferay 7.4 GA | =7.4-update_2 | |
| Liferay 7.4 GA | =7.4-update_20 | |
| Liferay 7.4 GA | =7.4-update_21 | |
| Liferay 7.4 GA | =7.4-update_22 | |
| Liferay 7.4 GA | =7.4-update_23 | |
| Liferay 7.4 GA | =7.4-update_24 | |
| Liferay 7.4 GA | =7.4-update_25 | |
| Liferay 7.4 GA | =7.4-update_26 | |
| Liferay 7.4 GA | =7.4-update_27 | |
| Liferay 7.4 GA | =7.4-update_28 | |
| Liferay 7.4 GA | =7.4-update_3 | |
| Liferay 7.4 GA | =7.4-update_4 | |
| Liferay 7.4 GA | =7.4-update_5 | |
| Liferay 7.4 GA | =7.4-update_6 | |
| Liferay 7.4 GA | =7.4-update_7 | |
| Liferay 7.4 GA | =7.4-update_8 | |
| Liferay 7.4 GA | =7.4-update_9 | |
| Liferay 7.4 GA | >=7.3.5<=7.4.3.28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-38901?
The severity of CVE-2022-38901 is medium with a CVSS score of 5.4.
How does CVE-2022-38901 affect Liferay Digital Experience Platform?
CVE-2022-38901 affects Liferay Digital Experience Platform 7.0 to 7.3.10 SP3.
What is the vulnerability in CVE-2022-38901?
CVE-2022-38901 is a Cross-Site Scripting (XSS) vulnerability in the Document and Media module file upload functionality.
How can remote attackers exploit CVE-2022-38901?
Remote attackers can inject arbitrary JavaScript or HTML into the description field of an uploaded SVG file.
Are there any known fixes for CVE-2022-38901?
Yes, Liferay released updates to address CVE-2022-38901. It is recommended to upgrade to the latest version of Liferay Digital Experience Platform.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- vendor/liferay
- canonical/liferay 7.4 ga
- version/liferay 7.4 ga/7.0
- version/liferay 7.4 ga/7.3
- version/liferay 7.4 ga/7.3-update_1
- version/liferay 7.4 ga/7.3-update_2
- version/liferay 7.4 ga/7.3-update_3
- version/liferay 7.4 ga/7.3-update_4
- version/liferay 7.4 ga/7.3-update_5
- version/liferay 7.4 ga/7.4-update_1
- version/liferay 7.4 ga/7.4-update_10
- version/liferay 7.4 ga/7.4-update_11
- version/liferay 7.4 ga/7.4-update_12
- version/liferay 7.4 ga/7.4-update_13
- version/liferay 7.4 ga/7.4-update_14
- version/liferay 7.4 ga/7.4-update_15
- version/liferay 7.4 ga/7.4-update_16
- version/liferay 7.4 ga/7.4-update_17
- version/liferay 7.4 ga/7.4-update_18
- version/liferay 7.4 ga/7.4-update_19
- version/liferay 7.4 ga/7.4-update_2
- version/liferay 7.4 ga/7.4-update_20
- version/liferay 7.4 ga/7.4-update_21
- version/liferay 7.4 ga/7.4-update_22
- version/liferay 7.4 ga/7.4-update_23
- version/liferay 7.4 ga/7.4-update_24
- version/liferay 7.4 ga/7.4-update_25
- version/liferay 7.4 ga/7.4-update_26
- version/liferay 7.4 ga/7.4-update_27
- version/liferay 7.4 ga/7.4-update_28
- version/liferay 7.4 ga/7.4-update_3
- version/liferay 7.4 ga/7.4-update_4
- version/liferay 7.4 ga/7.4-update_5
- version/liferay 7.4 ga/7.4-update_6
- version/liferay 7.4 ga/7.4-update_7
- version/liferay 7.4 ga/7.4-update_8
- version/liferay 7.4 ga/7.4-update_9
- version/liferay 7.4 ga/7.3.5
- version/liferay 7.4 ga/7.4.3.28