Medium severity5.3NVD Advisory· Published Mar 3, 2022· Updated Jun 17, 2026
CVE-2022-25146
CVE-2022-25146
Description
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.remote.app.webMaven | < 2.0.21 | 2.0.21 |
com.liferay.portal:release.dxp.bomMaven | < 7.4.13.u5 | 7.4.13.u5 |
Affected products
4- osv-coords3 versionspkg:bitnami/liferaypkg:maven/com.liferay/com.liferay.remote.app.webpkg:maven/com.liferay.portal/release.dxp.bom
< 7.4.0+ 2 more
- (no CPE)range: < 7.4.0
- (no CPE)range: < 2.0.21
- (no CPE)range: < 7.4.13.u5
Patches
Vulnerability mechanics
References
7- liferay.comnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-ghw5-998m-vw4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25146ghsaADVISORY
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-appsnvdVendor AdvisoryWEB
- www.securitum.plnvdNot ApplicableThird Party Advisory
- github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276bghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-25146-csrf-token-exfiltration-via-remote-appsghsaWEB
News mentions
0No linked articles in our index yet.