VYPR
Medium severity5.3NVD Advisory· Published Mar 3, 2022· Updated Jun 17, 2026

CVE-2022-25146

CVE-2022-25146

Description

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.remote.app.webMaven
< 2.0.212.0.21
com.liferay.portal:release.dxp.bomMaven
< 7.4.13.u57.4.13.u5

Affected products

4

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.