BIT-LIFERAY-2022-25146

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message...

Cross site request forgery (csrf)

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message...

CVE-2022-25146

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message...

CVE-2022-25146

The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message...

CVE-2022-25146

The CVE-2022-25146 affects Liferay Portal: v7.4.3.4–v7.4.3.8 and Liferay DXP 7.4 before update 5, in the Remote App module. Root cause: the origin of event messages is not validated against the Remote App origin, allowing CSRF token exfiltration via a crafted event message. Impact: partial confid...

PT-2022-17098 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.4 through 7.4.3.8 Liferay DXP 7.4 before update 5 Description: The issue concerns the Remote App module, which fails to verify if the origin of received event messages matches the Remote App's origin. This allows...