EPSS
Percentile
31.1%
liferay is vulnerable to cross-site request forgery. The vulnerability exists due to the module is not validating the origin of the event message in the fetch.es.js file allowing attackers to pull out the CSRF token via a crafted event message.
fetch.es.js
liferay.com
github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276b
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-apps
www.securitum.pl