CVE-2022-42118

MEDIUM NUCLEI

Liferay Portal 7.1.0-7.4.2 and DXP - Cross-Site Scripting via Portal Search Tag Parameter

Title source: llm

Exploitation Summary

CVE-2022-42118 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter.

Nuclei Templates (1)

Liferay Portal - Cross-site Scripting

MEDIUMby ritikchaddha

Shodan: html:"var Liferay"

FOFA: body="var Liferay"

References (3)

Core 3

Core References

Vendor Advisory

http://liferay.com

Vendor Advisory

https://issues.liferay.com/browse/LPE-17342

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42118

Scores

CVSS v3 6.1

EPSS 0.0116

EPSS Percentile 63.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (6)

com.liferay/com.liferay.portal.search.web 0 - 6.0.12Maven

com.liferay.portal/release.dxp.bom 7.1.0 - 7.1.10.fp27Maven

liferay/digital_experience_platform 7.1 (26 CPE variants)

liferay/digital_experience_platform 7.2 (15 CPE variants)

liferay/dxp 7.3 (3 CPE variants)

liferay/liferay_portal 7.1.0 - 7.4.2

Published Nov 15, 2022

Tracked Since Feb 18, 2026