CVE-2022-42118

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.0 through 7.4.2 Liferay DXP versions 7.1 before fix pack 27 Liferay DXP versions 7.2 before fix pack 15 Liferay DXP versions 7.3 before service pack 3

Description A Cross-site scripting (XSS) vulnerability in the Portal Search module allows remote attackers to inject arbitrary web script or HTML via the tag parameter. This issue enables attackers to execute malicious scripts on the client-side, potentially leading to unauthorized actions or data theft.

Recommendations For Liferay Portal versions 7.1.0 through 7.4.2, update to a version outside of this range to mitigate the risk. For Liferay DXP version 7.1, apply fix pack 27 or later. For Liferay DXP version 7.2, apply fix pack 15 or later. For Liferay DXP version 7.3, apply service pack 3 or later. As a temporary workaround, consider restricting access to the Portal Search module until a patch is available. Avoid using the tag parameter in the affected module until the issue is resolved.