CVE-2022-42121 – com.liferay:com.liferay.layout.page.template.service

Package

Manager: maven
Name: com.liferay:com.liferay.layout.page.template.service
Vulnerable Version: >=0 <4.0.17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00458 pctl0.63102

Details

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Layout Module A SQL injection vulnerability in the Layout module before 4.0.17 from Liferay Portal (7.1.3 through 7.4.3.4), and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2025-09-05T19:04:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-gxxj-fhmr-37j9/GHSA-gxxj-fhmr-37j9.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-gxxj-fhmr-37j9
Finding: F297
Auto approve: 1