CVE-2022-42117 The Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6 and 7.4 before update 17 is vulnerable to XSS. This can be used to perform malicious activities.
This issue may occur in the following scenario: - A user browses to a malicious website and accesses a vulnerable Liferay Portal page. - The user visits a different website and accesses a vulnerable Liferay page. In this way, a remote attacker can inject arbitrary web script or HTML into the vulnerable site. In a different scenario, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. The following are the instructions to exploit this vulnerability. - Obtain the email address of a user from a malicious website. - Create a malicious email message in an email client and send it to the user. - The user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay Portal page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML
Exploitation Scenario br >
This issue may occur in the following scenario: - A user browses to a malicious website and accesses a vulnerable Liferay Portal page. - The user visits a different website and accesses a vulnerable Liferay page. In this way, a remote attacker can inject arbitrary web script or HTML into the vulnerable site. In a different scenario, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. The following are the instructions to exploit this vulnerability: - Obtain the email address of a user from a malicious website. - Create a malicious email message in an email client and send it to the user. - The user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure.
References ^^
Timeline
Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 18:08:00 UTC