CVE-2022-42122

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.7 Liferay DXP versions 7.3 fix pack 2 through update 4

Description A SQL injection issue in the Friendly Url module allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title field of a friendly URL.

Recommendations For Liferay Portal version 7.3.7, update to a version that includes the fix for this issue. For Liferay DXP versions 7.3 fix pack 2 through update 4, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Friendly Url module to minimize the risk of exploitation. Avoid using the title field in the affected friendly URL until the issue is resolved.