CVE-2022-26597 Stored XSS with site name in Open Graph integration

Description

Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0 allows remote attackers to inject arbitrary web script or HTML via the site name.

Severity

5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Version(s)

  • Liferay Portal 7.3.0 - 7.3.7
  • Liferay Portal 7.4.0

Fixed Version(s)

Acknowledgments

This issue was reported by Duy Huynh

Publication date: Mon, 24 Jan 2022 16:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.