Vulnerability Description
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Dxp | 7.3 |
| Liferay | Liferay Portal | >= 7.3.3, <= 7.4.3.16 |
Related Weaknesses (CWE)
References
- http://liferay.comVendor Advisory
- https://issues.liferay.com/browse/LPE-17513Issue TrackingVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheVendor Advisory
- http://liferay.comVendor Advisory
- https://issues.liferay.com/browse/LPE-17513Issue TrackingVendor Advisory
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisheVendor Advisory
FAQ
What is CVE-2022-42120?
CVE-2022-42120 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL c...
How severe is CVE-2022-42120?
CVE-2022-42120 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-42120?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Dxp, Liferay Liferay Portal.