CVE-2022-42119
MEDIUM5.4EPSS 0.64%Liferay Portal and Liferay DXP Vulnerable to XSS via the Commerce Module
Published: 11/15/2022Modified: 8/8/2025
Description
Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. This affects the Commerce module before 4.0.8 from Liferay Portal (7.3.5 through 7.4.2) and Liferay DXP 7.3 before update 8.
Affected packages (2)
- Maven/com.liferay.commerce:com.liferay.commerce.catalog.webfrom 0, < 4.0.8
- Maven/com.liferay.portal:release.dxp.bom>= 7.3.0, < 7.3.10.u8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-42119
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttp://liferay.com
- WEBhttps://github.com/liferay/liferay-portal/commit/2e02110747dd5cccb978623545bfa1f3ad0a5602
- WEBhttps://issues.liferay.com/browse/LPE-17632
- WEBhttps://web.archive.org/web/20221115040019/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42119