CVE-2022-42121

HIGH8.8EPSS 0.60%

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Layout Module

發布日:2022/11/15修改日:2025/9/5

描述

A SQL injection vulnerability in the Layout module before 4.0.17 from Liferay Portal (7.1.3 through 7.4.3.4), and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.

受影響套件(2)

Maven/com.liferay:com.liferay.layout.page.template.servicefrom 0, < 4.0.17
Maven/com.liferay.portal:release.dxp.bom>= 7.1.0, < 7.1.10.fp27

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(10)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-42121
PATCHhttps://github.com/liferay/liferay-portal
WEBhttp://liferay.com
WEBhttps://github.com/liferay/liferay-portal/commit/14c8fbbac814c0b511b4f3ade19eafb2182923c7
WEBhttps://github.com/liferay/liferay-portal/commit/5a17acb714c57e36695b7caff8e6a2789e2cf9d0
WEBhttps://github.com/liferay/liferay-portal/commit/82de94e9f3a4425e3ee6c187462d670ae9bfef51
WEBhttps://github.com/liferay/liferay-portal/commit/f245f4b428186c8e5964a9ffe90ccc7e12cf7f66
WEBhttps://issues.liferay.com/browse/LPE-17414
WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-42121?p_r_p_assetEntryId=121613426&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121613426%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse
WEBhttps://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42121