First published: Wed Oct 19 2022(Updated: )
A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | >=7.0<7.3 | |
Liferay DXP | =7.3 | |
Liferay DXP | =7.3-update_1 | |
Liferay DXP | =7.3-update_2 | |
Liferay DXP | =7.3-update_3 | |
Liferay DXP | =7.3-update_4 | |
Liferay DXP | =7.3-update_5 | |
Liferay DXP | =7.4-update_1 | |
Liferay DXP | =7.4-update_10 | |
Liferay DXP | =7.4-update_11 | |
Liferay DXP | =7.4-update_12 | |
Liferay DXP | =7.4-update_13 | |
Liferay DXP | =7.4-update_14 | |
Liferay DXP | =7.4-update_15 | |
Liferay DXP | =7.4-update_16 | |
Liferay DXP | =7.4-update_17 | |
Liferay DXP | =7.4-update_18 | |
Liferay DXP | =7.4-update_19 | |
Liferay DXP | =7.4-update_2 | |
Liferay DXP | =7.4-update_20 | |
Liferay DXP | =7.4-update_21 | |
Liferay DXP | =7.4-update_22 | |
Liferay DXP | =7.4-update_23 | |
Liferay DXP | =7.4-update_24 | |
Liferay DXP | =7.4-update_25 | |
Liferay DXP | =7.4-update_26 | |
Liferay DXP | =7.4-update_27 | |
Liferay DXP | =7.4-update_28 | |
Liferay DXP | =7.4-update_3 | |
Liferay DXP | =7.4-update_4 | |
Liferay DXP | =7.4-update_5 | |
Liferay DXP | =7.4-update_6 | |
Liferay DXP | =7.4-update_7 | |
Liferay DXP | =7.4-update_8 | |
Liferay DXP | =7.4-update_9 | |
Liferay Liferay Portal | >=7.3.5<=7.4.3.28 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-38901 is medium with a CVSS score of 5.4.
CVE-2022-38901 affects Liferay Digital Experience Platform 7.0 to 7.3.10 SP3.
CVE-2022-38901 is a Cross-Site Scripting (XSS) vulnerability in the Document and Media module file upload functionality.
Remote attackers can inject arbitrary JavaScript or HTML into the description field of an uploaded SVG file.
Yes, Liferay released updates to address CVE-2022-38901. It is recommended to upgrade to the latest version of Liferay Digital Experience Platform.