CVE-2022-28979 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 46.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay Digital Experience Platform Liferay DXP

Timeline

PublishedSep 22

Latest updateSep 23

Description

Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDliferay/liferay_portal7.1.0 — 7.4.3.4

▶NVDliferay/dxp7.3

▶NVDliferay/digital_experience_platform7.1, 7.2+1

Patches

Patch: issues.liferay.com ↗Patch: issues.liferay.com ↗

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module↗2022-09-23

▶

GHSA

Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module↗2022-09-23

▶

CVEList

CVE-2022-28979: Liferay Portal v7↗2022-09-21

▶