PT-2022-26259 · Liferay · Liferay Portal+1

Published

2022-10-18

Updated

2022-10-20

CVE-2022-42114

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.36 Liferay DXP 7.4 before update 37

Description A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page allows remote attackers to inject arbitrary web script or HTML. This issue affects the edit role assignees page, enabling attackers to execute malicious scripts.

Recommendations For Liferay Portal versions 7.4.0 through 7.4.3.36, update to a version after 7.4.3.36 to resolve the issue. For Liferay DXP 7.4 before update 37, apply update 37 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Role module's edit role assignees page until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-42114

GHSA-CMRW-CGFC-V6X2

Affected Products

Liferay Dxp

Liferay Portal

PT-2022-26259 · Liferay · Liferay Portal+1

CVE-2022-42114

Weakness Enumeration

Related Identifiers

Affected Products

References · 11