CVE-2022-26596

MEDIUM6.1EPSS 0.23%

Liferay Portal and Liferay DXP allows arbitrary injection via web content template names

Published: 4/26/2022Modified: 7/18/2025

Description

Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.

Affected packages (3)

Bitnami/liferay>= 7.0.0, <= 7.0.0, >= 7.1.0, <= 7.1.0, >= 7.2.0, <= 7.2.0 | >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.0-fix.0, <= 7.0-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.1-fix.0, <= 7.1-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0, >= 7.2-fix.0, <= 7.2-fix.0
Maven/com.liferay:com.liferay.journal.content.webfrom 0, < 5.0.15
Maven/com.liferay.portal:release.dxp.bom>= 7.0.0, < 7.0.10.fp94

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Affected packages (3)

CVSS scores

References (5)