CVE-2022-28980

MEDIUM

Liferay DXP and Portal < 7.4.3.5 - Cross-Site Scripting via filter_ Parameters

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.

References (2)

Core 2

Core References

Product x_refsource_misc

http://liferay.com

Various Sources x_refsource_misc

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28980-reflected-xss-with-filter_%2A-parameters-in-applied-fragment-filters

Scores

CVSS v3 6.1

EPSS 0.0025

EPSS Percentile 48.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

com.liferay/com.liferay.fragment.renderer.collection.filter.impl 0 - 1.0.11Maven

com.liferay.portal/release.dxp.bom 0 - 7.4.3.5-ga5Maven

liferay/dxp 7.4 ga

liferay/liferay_portal < 7.4.3.5

Published Sep 22, 2022

Tracked Since Feb 18, 2026