CVE-2022-42119 — Liferay Portal and Liferay DXP Vulnerable to XSS via the Commerce Module

Description

Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects the Commerce module before 4.0.8 from Liferay Portal (7.3.5 through 7.4.2) and Liferay DXP 7.3 before update 8.

How to fix CVE-2022-42119

To remediate CVE-2022-42119, upgrade the affected package to a fixed version below.

—upgrade to 4.0.8 or later
—upgrade to 7.3.10.u8 or later

Is CVE-2022-42119 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.8
>= 7.3.0, < 7.3.10.u8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42119
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/2e02110747dd5cccb978623545bfa1f3ad0a5602
WEBissues.liferay.com