CVE-2022-42121
Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Layout Module
8.8
HIGH
CVSS 3.1
EPSS 0.60%
Description
A SQL injection vulnerability in the Layout module before 4.0.17 from Liferay Portal (7.1.3 through 7.4.3.4), and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.
How to fix CVE-2022-42121
To remediate CVE-2022-42121, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.17 or later
- —upgrade to 7.1.10.fp27 or later
Is CVE-2022-42121 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.0.17
- >= 7.1.0, < 7.1.10.fp27
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |