Lucene search

[email protected]CVE-2022-42120

HistoryNov 15, 2022 - 1:15 a.m.

CVE-2022-42120

2022-11-1501:15:12

CWE-89

[email protected]

web.nvd.nist.gov

cve-2022-42120

sql injection

liferay portal

fragment module

nvd

portletpreferences

security vulnerability

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

53.0%

JSON

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences’ namespace attribute.

Affected configurations

NVD

Node

liferaydxpMatch7.3-

liferaydxpMatch7.4-

liferayliferay_portalRange7.3.3–7.4.3.16

CPENameOperatorVersion
liferay:dxpliferay dxpeq7.3
liferay:dxpliferay dxpeq7.4
liferay:liferay_portalliferay liferay portalle7.4.3.16

CPE	Name	Operator	Version
liferay:dxp	liferay dxp	eq	7.3
liferay:dxp	liferay dxp	eq	7.4
liferay:liferay_portal	liferay liferay portal	le	7.4.3.16

References

liferay.com

issues.liferay.com/browse/LPE-17513

portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120

Social References

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

53.0%

JSON

Related for CVE-2022-42120

prion1 osv1 cvelist1 nvd1