CVE-2022-28979 — Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module

Description

In Search Web before v6.0.19 in Liferay Portal (v7.1.0 through v7.4.2) and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.

How to fix CVE-2022-28979

To remediate CVE-2022-28979, upgrade the affected package to a fixed version below.

—upgrade to 6.0.19 or later
—no fix listed

Is CVE-2022-28979 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.0.19
>= 7.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-28979
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/e18065248673c77927f4839439aa200bfb965ced
WEBissues.liferay.com