CVE-2022-42114 — Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module

Description

A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Roles Admin Web before 5.0.48 from Liferay Portal (7.4.0 through 7.4.3.36), and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.

How to fix CVE-2022-42114

To remediate CVE-2022-42114, upgrade the affected package to a fixed version below.

—upgrade to 5.0.48 or later
—upgrade to 7.4.13.u37 or later

Is CVE-2022-42114 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.0.48
>= 7.4.0, < 7.4.13.u37

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42114
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/ba9a07ee8d1aa04a9da352e9b6a776313b8ce5e9
WEBliferay.atlassian.net