CVE-2022-26594
MEDIUMLiferay Portal 7.3.5-7.4.0 and DXP < 7.3.10.fp3 - Stored Cross-Site Scripting via Form Field Help Text
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
http://liferay.com
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
49.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
com.liferay/com.liferay.dynamic.data.mapping.form.field.type
0 - 6.0.11Maven
com.liferay.portal/release.dxp.bom
7.3.0 - 7.3.10.fp3Maven
liferay/liferay_portal
7.4.0
liferay/liferay_portal
7.3.5 - 7.3.7
Published
Apr 15, 2022
Tracked Since
Feb 18, 2026