CVE-2022-42112

MEDIUM

Liferay Digital Experience Platform < 7.2 - Cross-Site Scripting in Portal Search Sort Widget

Title source: llm

Description

A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload.

References (2)

Core 2

Core References

Product

http://liferay.com

Patch, Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42112

Scores

CVSS v3 5.4

EPSS 0.0022

EPSS Percentile 44.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (6)

com.liferay/com.liferay.portal.search.web 0 - 6.0.45Maven

com.liferay.portal/release.dxp.bom 7.2.0 - 7.2.10.fp19Maven

liferay/digital_experience_platform 7.2 (17 CPE variants)

liferay/digital_experience_platform < 7.2

liferay/dxp 7.3 (8 CPE variants)

liferay/dxp 7.4 ga1 (22 CPE variants)

Published Oct 18, 2022

Tracked Since Feb 18, 2026