First published: Thu Oct 13 2022(Updated: )
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.3 | |
Liferay DXP | =7.3-sp1 | |
Liferay DXP | =7.3-sp2 | |
Liferay DXP | =7.3-sp3 | |
Liferay DXP | =7.3-update_1 | |
Liferay DXP | =7.3-update_2 | |
Liferay DXP | =7.3-update_3 | |
Liferay DXP | =7.3-update_4 | |
Liferay DXP | =7.3-update_5 | |
Liferay DXP | =7.3-update_6 | |
Liferay DXP | =7.3-update_7 | |
Liferay DXP | =7.3-update_8 | |
Liferay Liferay Portal | >=7.3.0<=7.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-38902 is a Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3.
CVE-2022-38902 affects Liferay DXP 7.3 versions up to 7.3 SP3.
CVE-2022-38902 has a severity rating of medium with a score of 5.4 (CVSS v3.1).
Remote attackers can exploit CVE-2022-38902 by injecting arbitrary JavaScript or HTML into the name field of a newly created topic in the Blog module.
Yes, you can find references for CVE-2022-38902 at the following links: [Link 1](http://liferay.com), [Link 2](https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu), [Link 3](https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/).