CVE-2022-42114

MEDIUM

Liferay DXP < 7.4 and Portal 7.4.0-7.4.3.36 - Cross-Site Scripting in Role Module Edit Assignees Page

Title source: llm

Description

A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.

References (2)

Core 2

Core References

Product

http://liferay.com

Patch, Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42114

Scores

CVSS v3 5.4

EPSS 0.0020

EPSS Percentile 41.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (5)

com.liferay/com.liferay.roles.admin.web 0 - 5.0.48Maven

com.liferay.portal/release.dxp.bom 7.4.0 - 7.4.13.u37Maven

liferay/dxp 7.4 ga1 (37 CPE variants)

liferay/dxp < 7.4

liferay/liferay_portal 7.4.0 - 7.4.3.37

Published Oct 18, 2022

Tracked Since Feb 18, 2026