CVE-2022-42122 — SQL Injection in DXP

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 25.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal

Timeline

PublishedNov 15

Description

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.7

▶NVDliferay/dxp7.3

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via Friendly URL Module↗2022-11-15

▶

CVEList

CVE-2022-42122: A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7↗2022-11-15

▶

OSV

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via Friendly URL Module↗2022-11-15

▶