CVE-2022-42112 — Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module

Description

A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget before 6.0.45 from Liferay Portal (7.2.0 through 7.4.3.24), and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.

How to fix CVE-2022-42112

To remediate CVE-2022-42112, upgrade the affected package to a fixed version below.

—upgrade to 6.0.45 or later
—upgrade to 7.2.10.fp19 or later

Is CVE-2022-42112 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.0.45
>= 7.2.0, < 7.2.10.fp19

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42112
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/1f6521605152c0f8f82f490300215f08f885fe48
WEBliferay.atlassian.net