CVE-2022-42116 — Liferay Portal and Liferay DXP Vulnerable to XSS in the CKEditor Integration wit

Description

A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Frontend Editor CKEditor Web before 5.0.46 from Liferay Portal (7.3.2 through 7.4.3.14), and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.

How to fix CVE-2022-42116

To remediate CVE-2022-42116, upgrade the affected package to a fixed version below.

—upgrade to 5.0.46 or later
—upgrade to 7.3.10.u6 or later

Is CVE-2022-42116 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.0.46
>= 7.3.0, < 7.3.10.u6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42116
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/ed2b59aa7db94c05c2be9ff5fda1d26ae7b00948
WEBliferay.atlassian.net