{"id":"CVE-2022-26597","details":"Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.","aliases":["BIT-liferay-2022-26597","GHSA-3vww-jrmm-9vff"],"modified":"2026-07-10T04:02:13.934452540Z","published":"2022-04-25T15:02:53Z","database_specific":{"cna_assigner":"mitre","unresolved_ranges":[{"extracted_events":[{"introduced":"7.3.0"},{"fixed":"7.4.0"},{"introduced":"7.3"}],"source":"DESCRIPTION"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/26xxx/CVE-2022-26597.json"},"references":[{"type":"WEB","url":"https://liferay.dev/w/cve-2022-26597-stored-xss-with-site-name-in-open-graph-integration"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/26xxx/CVE-2022-26597.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26597"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"b072f5df5544a28677824835b490ce8a867bf133"},{"last_affected":"ec84d86679146b84af526f96471a730c340dda78"}],"database_specific":{"extracted_events":[{"introduced":"7.3.0"},{"last_affected":"7.4.0"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*"}}],"versions":["7.4.0-ga1","7.3.5-ga6","7.3.4-ga5","test-fix-pack-base-7310","7.3.3-ga4","7.3.2-ga3","7.3.1-ga2","7.3.0-ga1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26597.json"}}],"schema_version":"1.7.5"}