CVE-2022-25146 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=0 <7.4.13.u5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00214 pctl0.43953

Details

Liferay Portal and Liferay DXP fails to check origin of event messages The Remote App module before 2.0.21 from Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

Metadata

Created: 2022-03-04T00:00:19Z
Modified: 2025-07-15T19:01:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-ghw5-998m-vw4w/GHSA-ghw5-998m-vw4w.json
CWE IDs: ["CWE-346"]
Alternative ID: GHSA-ghw5-998m-vw4w
Finding: F184
Auto approve: 1