CVE-2022-42119

MEDIUM

Liferay Portal 7.3.5-7.4.2 and DXP < 7.3.10.u8 - Cross-Site Scripting via Commerce Module

Title source: llm

Description

Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects Liferay Portal 7.3.5 through 7.4.2 and Liferay DXP 7.3 before update 8.

References (3)

Core 3

Core References

Vendor Advisory

http://liferay.com

Issue Tracking, Vendor Advisory

https://issues.liferay.com/browse/LPE-17632

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119

Scores

CVSS v3 5.4

EPSS 0.0064

EPSS Percentile 70.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

com.liferay.commerce/com.liferay.commerce.catalog.web 0 - 4.0.8Maven

com.liferay.portal/release.dxp.bom 7.3.0 - 7.3.10.u8Maven

liferay/dxp 7.3 (8 CPE variants)

liferay/liferay_portal 7.3.5 - 7.4.2

Published Nov 15, 2022

Tracked Since Feb 18, 2026