CVE-2022-42113 — Liferay Portal and Liferay DXP Vulnerable to XSS via the Document Library Module

Description

A Cross-site scripting (XSS) vulnerability in Document Library module before 6.0.98 from Liferay Portal (7.4.3.30 through 7.4.3.36), and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter.

How to fix CVE-2022-42113

To remediate CVE-2022-42113, upgrade the affected package to a fixed version below.

—upgrade to 6.0.98 or later
—upgrade to 7.4.13.u37 or later

Is CVE-2022-42113 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.0.98
>= 7.4.13.u30, < 7.4.13.u37

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42113
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/2e4d17dfe42bb3b12c96527943087cf7e4a7d57e
WEB