CVE-2022-42120

CRITICAL

Liferay DXP 7.3.3-7.4.3.16 - SQL Injection via PortletPreferences Namespace Attribute

Title source: llm

Description

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.

References (3)

Core 3

Core References

Vendor Advisory

http://liferay.com

Issue Tracking, Vendor Advisory

https://issues.liferay.com/browse/LPE-17513

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120

Scores

CVSS v3 9.8

EPSS 0.0081

EPSS Percentile 74.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (5)

com.liferay/com.liferay.fragment.service 0 - 4.0.33Maven

com.liferay.portal/release.dxp.bom 7.3.0 - 7.3.10.u4Maven

liferay/dxp 7.3

liferay/dxp 7.4

liferay/liferay_portal 7.3.3 - 7.4.3.16

Published Nov 15, 2022

Tracked Since Feb 18, 2026