CVE-2022-42121

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.3 through 7.4.3.4 Liferay DXP 7.1 before fix pack 27 Liferay DXP 7.2 before fix pack 17 Liferay DXP 7.3 before service pack 3 Liferay DXP 7.4 GA

Description A SQL injection issue in the Layout module allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's Name field.

Recommendations For Liferay Portal versions 7.1.3 through 7.4.3.4, update to a version outside of this range to mitigate the risk. For Liferay DXP 7.1, apply fix pack 27 or later. For Liferay DXP 7.2, apply fix pack 17 or later. For Liferay DXP 7.3, apply service pack 3 or later. For Liferay DXP 7.4 GA, consider upgrading to a later version or service pack that includes the necessary security fixes. As a temporary workaround, consider restricting access to the Layout module or limiting the ability to inject payloads into page templates until a patch is available.