CVE-2022-25146 CSRF token exfiltration via Remote Apps

Description

The Remote App module in Liferay Portal 7.4.3.4 through 7.4.3.8 does not check if the origin of event messages it receives matches the origin of the remote app, which allows remote attackers to exfiltration the CSRF token by sending a crafted event message and waiting for the application to respond with the sensitive information.

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Version(s)

  • Liferay Portal 7.4.3.4 - 7.4.3.8

Fixed Version(s)

Acknowledgments

This issue was reported by Jakub Zoczek, Securitum

Publication date: Wed, 02 Mar 2022 08:20:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.