CVE-2022-28978 — Liferay Portal and Liferay DXP Vulnerable to XSS in the Site Module

Description

Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Site Memberships Web before 5.0.10 from Liferay Portal (7.0.1 through 7.4.1), and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.

How to fix CVE-2022-28978

To remediate CVE-2022-28978, upgrade the affected package to a fixed version below.

—upgrade to 5.0.10 or later
—upgrade to 7.0.10.fp102 or later

Is CVE-2022-28978 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.0.10
>= 7.0.0, < 7.0.10.fp102

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-28978
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/ffdc9d1f8abf484598afdc51671a30533740c16d
WEBliferay.atlassian.net