CVE-2021-29053 — SQL Injection in DXP

CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 35.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal

Timeline

PublishedMay 17

Latest updateMay 24

Description

Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.5

▶NVDliferay/dxp7.3

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP Vulnerable to Multiple SQL Injections↗2022-05-24

▶

GHSA

Liferay Portal and Liferay DXP Vulnerable to Multiple SQL Injections↗2022-05-24

▶

CVEList

CVE-2021-29053: Multiple SQL injection vulnerabilities in Liferay Portal 7↗2021-05-17

▶