CVE-2022-42115 — Liferay Portal Vulnerable to XSS in the Object Module

Description

Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Object Web before 1.0.99 from Liferay Portal (7.4.3.4 through 7.4.3.36) allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field.

How to fix CVE-2022-42115

To remediate CVE-2022-42115, upgrade the affected package to a fixed version below.

—upgrade to 1.0.99 or later

Is CVE-2022-42115 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.99

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42115
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/51cc09f972c1ffb7186680b3b73f463406daae46
WEBliferay.atlassian.net