CVE-2022-42116

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.4.3.14 Liferay DXP versions 7.3 before update 6 Liferay DXP versions 7.4 before update 15

Description A Cross-site scripting (XSS) issue exists due to the integration of the Frontend Editor module with CKEditor. This allows remote attackers to inject arbitrary web script or HTML via the name or namespace parameter.

Recommendations For Liferay Portal versions 7.3.2 through 7.4.3.14, update to a version outside of this range to resolve the issue. For Liferay DXP versions 7.3 before update 6, apply update 6 or later to fix the vulnerability. For Liferay DXP versions 7.4 before update 15, apply update 15 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the CKEditor integration in the Frontend Editor module until a patch is available. Avoid using the name and namespace parameters in the affected module until the issue is resolved.