CVE-2022-42118

high-risk

Published 2022-11-15

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

Do I need to act?

!

13.2% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

6

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Liferay Portal

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Digital Experience Platform

Affected Vendors

Liferay

References (6)

Vendor Advisory http://liferay.com

Vendor Advisory https://issues.liferay.com/browse/LPE-17342

Vendor Advisory https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...

Vendor Advisory http://liferay.com

Vendor Advisory https://issues.liferay.com/browse/LPE-17342

Vendor Advisory https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publishe...

60

/ 100

high-risk

Severity 23/34 · High

Exploitability 12/34 · Low

Exposure 25/34 · High