Cross-Site Scripting in Liferay Portal and DXP Sharing Module
CVE-2022-42111

5.4MEDIUM

Key Information:

Vendor: Liferay
Status: Liferay Portal
Vendor: CVE Published:; 15 November 2022

What is CVE-2022-42111?

A Cross-Site Scripting vulnerability exists in the user notification feature of the Sharing module within Liferay Portal versions 7.2.1 through 7.4.2 and in Liferay DXP 7.2 prior to fix pack 19 and 7.3 before update 4. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML through crafted payloads when sharing an asset. As a result, users can be subject to various attacks including data theft or session hijacking if they interact with the malicious content.

References

https://portal.liferay.dev/learn/security/known-vulnerabi...

https://issues.liferay.com/browse/LPE-17379

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Oct 3, 2022