CVE-2022-42120

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.3 through 7.4.3.16 Liferay DXP versions 7.3 before update 4 Liferay DXP versions 7.4 before update 17

Description A SQL injection issue in the Fragment module allows attackers to execute arbitrary SQL commands via a PortletPreferences' namespace attribute. This enables attackers to manipulate database queries, potentially leading to unauthorized data access or modification.

Recommendations For Liferay Portal versions 7.3.3 through 7.4.3.16, update to a version outside of this range to resolve the issue. For Liferay DXP versions 7.3 before update 4, apply update 4 or later to fix the vulnerability. For Liferay DXP versions 7.4 before update 17, apply update 17 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Fragment module until a patch is available. Avoid using the namespace attribute in the PortletPreferences until the issue is resolved.