CVE-2022-42118

MEDIUM NUCLEI

Liferay Portal < 7.4.2 - XSS

Title source: rule

Description

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

Nuclei Templates (1)

Liferay Portal - Cross-site Scripting

MEDIUMby ritikchaddha

Shodan: html:"var Liferay"

FOFA: body="var Liferay"

References (3)

[Vendor Advisory] http://liferay.com

[Vendor Advisory] https://issues.liferay.com/browse/LPE-17342

[Vendor Advisory] https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118

Scores

CVSS v3 6.1

EPSS 0.1321

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (6)

com.liferay/com.liferay.portal.search.web 0 - 6.0.12Maven

com.liferay.portal/release.dxp.bom 7.1.0 - 7.1.10.fp27Maven

liferay/digital_experience_platform 7.1 (26 CPE variants)

liferay/digital_experience_platform 7.2 (15 CPE variants)

liferay/dxp 7.3 (3 CPE variants)

liferay/liferay_portal 7.1.0 - 7.4.2

Published Nov 15, 2022

Tracked Since Feb 18, 2026