CVE-2022-42114Cross-site Scripting in DXP

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 57.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay DXPLiferay Portal
Timeline
PublishedOct 18
Latest updateOct 19

Description

A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDliferay/liferay_portal7.4.07.4.3.37
NVDliferay/dxp< 7.4+1

Patches

Patch: portal.liferay.devPatch: portal.liferay.dev

🔴Vulnerability Details

3
OSV
Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module2022-10-19
GHSA
Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module2022-10-19
CVEList
CVE-2022-42114: A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 72022-10-18
CVE-2022-42114 — Cross-site Scripting in Liferay DXP | cvebase