CVE-2022-42120 — SQL Injection in Portal

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 25.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP

Timeline

PublishedNov 15

Description

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.3 — 7.4.3.16

▶NVDliferay/dxp7.3, 7.4+1

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Fragment Module↗2022-11-15

▶

GHSA

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Fragment Module↗2022-11-15

▶

CVEList

CVE-2022-42120: A SQL injection vulnerability in the Fragment module in Liferay Portal 7↗2022-11-15

▶