Moderate severityNVD Advisory· Published Apr 15, 2022· Updated Aug 3, 2024
CVE-2022-26594
CVE-2022-26594
Description
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.dynamic.data.mapping.form.field.typeMaven | < 6.0.11 | 6.0.11 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.fp3 | 7.3.10.fp3 |
Affected products
2- ghsa-coords2 versionspkg:maven/com.liferay/com.liferay.dynamic.data.mapping.form.field.typepkg:maven/com.liferay.portal/release.dxp.bom
< 6.0.11+ 1 more
- (no CPE)range: < 6.0.11
- (no CPE)range: >= 7.3.0, < 7.3.10.fp3
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-658f-xhv4-p978ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26594ghsaADVISORY
- liferay.commitrex_refsource_MISC
- github.com/liferay/liferay-portal/commit/7c9348cc59271647cfd192c007d383d80ae9a667ghsaWEB
- liferay.atlassian.net/browse/LPE-17290ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-26594-xss-vulnerability-with-form-field-help-textghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26594-xss-vulnerability-with-form-field-help-textmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.