CVE-2022-42117 — Liferay Portal and Liferay DXP Vulnerable to XSS in the Frontend Taglib Module

Description

A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module before 9.1.7 from Liferay Portal (7.3.2 through 7.4.3.16), and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML.

How to fix CVE-2022-42117

To remediate CVE-2022-42117, upgrade the affected package to a fixed version below.

—upgrade to 9.1.7 or later
—upgrade to 7.3.10.u6 or later

Is CVE-2022-42117 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.1.7
>= 7.3.0, < 7.3.10.u6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42117
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/a0d25a757f002c39d02b93938bc11feb3b0de6f6
WEBliferay.atlassian.net