cve-2022-38901
Vulnerability from cvelistv5
Published
2022-10-19 00:00
Modified
2024-08-03 11:02
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://liferay.com | Vendor Advisory | |
| cve@mitre.org | https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory | |
| cve@mitre.org | https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://liferay.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/ | Exploit, Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:02:14.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://liferay.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-19T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://liferay.com"
},
{
"url": "https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu"
},
{
"url": "https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38901",
"datePublished": "2022-10-19T00:00:00",
"dateReserved": "2022-08-29T00:00:00",
"dateUpdated": "2024-08-03T11:02:14.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-38901\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-10-19T02:15:09.000\",\"lastModified\":\"2024-11-21T07:17:15.060\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de tipo Cross-site scripting (XSS) en el m\u00f3dulo Document and Media - funcionalidad de descarga de archivos en Liferay Digital Experience Platform versi\u00f3n 7.3.10 SP3, permite a atacantes remotos inyectar scripts JS o HTML arbitrarias en el campo description del archivo svg descargado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0\",\"versionEndExcluding\":\"7.3\",\"matchCriteriaId\":\"4A46C2D9-63F5-41D7-A804-8B82093B805A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"21C55D41-DB66-494D-BEEB-BDAC7CB4B31B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.3:update_1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D60CDAA3-6029-4904-9D08-BB221BCFD7C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.3:update_2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B66F47E9-3D82-497E-BD84-E47A65FAF8C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.3:update_3:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0BA4856-59DF-427C-959F-3B836314F5D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.3:update_4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3A5ADE1-4743-4A78-9FCC-CEB857012A5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.3:update_5:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B420A18-5C8B-470F-9189-C84F8DAA74D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_1:*:*:*:*:*:*\",\"matchCriteriaId\":\"46AF397F-A95C-4FAD-A6EA-CB623B7A262A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_10:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B8C3B3F-1BBB-47A5-A789-B207B6346FFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_11:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD5D1171-954A-4E75-813D-E8392CFE4029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_12:*:*:*:*:*:*\",\"matchCriteriaId\":\"F148098A-D867-4C8B-9632-6B7F24D50C30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_13:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A112ED2-27C2-45E3-8FA0-6043F7D3BEED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_14:*:*:*:*:*:*\",\"matchCriteriaId\":\"0744AC04-9663-4DA1-9657-EC5BF0C68499\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_15:*:*:*:*:*:*\",\"matchCriteriaId\":\"5703FE2B-011A-4A40-AB67-B989438F2183\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_16:*:*:*:*:*:*\",\"matchCriteriaId\":\"41A54448-B1AB-4E92-8523-5D4A46A83533\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_17:*:*:*:*:*:*\",\"matchCriteriaId\":\"A96A2A4A-3EB3-4074-A846-EC6EECC04B43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_18:*:*:*:*:*:*\",\"matchCriteriaId\":\"56DAE678-10B9-419D-9F5D-96E3AC3A6E4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_19:*:*:*:*:*:*\",\"matchCriteriaId\":\"064F4C28-B1F5-44C2-91AA-A09FD56EC0B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2C2351E-BDEE-4A79-A00C-6520B54996EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_20:*:*:*:*:*:*\",\"matchCriteriaId\":\"814D0CE3-B89F-423C-B1E3-47BD0A474491\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_21:*:*:*:*:*:*\",\"matchCriteriaId\":\"58DB7C5A-B4E3-410A-B491-3F322B340BDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_22:*:*:*:*:*:*\",\"matchCriteriaId\":\"86B581B6-02B0-40B9-BB5C-E28FC51042DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_23:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7EFBC14-6785-4435-BA96-D77A857BC1C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_24:*:*:*:*:*:*\",\"matchCriteriaId\":\"585635F8-53DC-4F64-BF6B-C6F72A5F4D29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_25:*:*:*:*:*:*\",\"matchCriteriaId\":\"355DD7FC-E9C7-43D6-8313-0474AB314F18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_26:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0FDE8B1-444A-4FEB-AC97-4B29C914EB8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_27:*:*:*:*:*:*\",\"matchCriteriaId\":\"683D063A-0E32-4E2D-8CBF-A57F45071F6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_28:*:*:*:*:*:*\",\"matchCriteriaId\":\"7DFEBCAB-1D9B-4BED-A2C6-11BA863F1EE9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_3:*:*:*:*:*:*\",\"matchCriteriaId\":\"25F5C3E9-CBB0-4114-91A4-41F0E666026A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E2B5687-B311-460E-A562-D754AF271F8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B49D0CB9-8ED7-46AB-9BA5-7235A2CD9117\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_6:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF169364-096C-4294-B89F-C07AF1DCC9C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_7:*:*:*:*:*:*\",\"matchCriteriaId\":\"30CB2C54-1A20-4226-ACC6-AC8131899AE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_8:*:*:*:*:*:*\",\"matchCriteriaId\":\"65693260-5B0F-47AA-BF08-D2979997A40A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:dxp:7.4:update_9:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9116909-04C3-4040-B945-4A6225425520\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.3.5\",\"versionEndIncluding\":\"7.4.3.28\",\"matchCriteriaId\":\"C0FF0E3A-B8C0-4867-9702-86F17ED4555A\"}]}]}],\"references\":[{\"url\":\"http://liferay.com\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://liferay.com\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://drive.proton.me/urls/D27RQ14NGW#b71d8XrBl2Mu\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.offensity.com/en/blog/authenticated-persistent-xss-in-liferay-dxp-cms-cve-2022-38901-and-cve-2022-38902/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.