CVE-2022-42118 — Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module

Description

A Cross-site scripting (XSS) vulnerability in the Portal Search module before 6.0.12 from Liferay Portal (7.1.0 through 7.4.2), and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

How to fix CVE-2022-42118

To remediate CVE-2022-42118, upgrade the affected package to a fixed version below.

—upgrade to 6.0.12 or later
—upgrade to 7.1.10.fp27 or later

Is CVE-2022-42118 being exploited?

Moderate — EPSS is 13.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 6.0.12
>= 7.1.0, < 7.1.10.fp27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42118
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/b42f1e70a69a31a3f2f7004a5b1923ec1e1e5445
WEBissues.liferay.com