SQL Injection Vulnerability in Liferay Portal and Liferay DXP
CVE-2022-42121

8.8HIGH

Key Information:

Vendor: Liferay
Status: Liferay Portal
Vendor: CVE Published:; 15 November 2022

What is CVE-2022-42121?

A SQL injection vulnerability exists in the Layout module of Liferay Portal and Liferay DXP, allowing remote authenticated attackers to execute arbitrary SQL commands. This is achieved through a specially crafted payload injected into the 'Name' field of a page template. The vulnerability impacts multiple versions of Liferay Portal (7.1.3 to 7.4.3.4) and various releases of Liferay DXP (before specified fix packs). Organizations using these products are advised to implement the necessary updates to mitigate this risk.

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabi...

https://issues.liferay.com/browse/LPE-17414

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Oct 3, 2022