CVE-2022-28979 – com.liferay:com.liferay.portal.search.web

Package

Manager: maven
Name: com.liferay:com.liferay.portal.search.web
Vulnerable Version: >=0 <6.0.19

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00365 pctl0.57739

Details

Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module In Search Web before v6.0.19 in Liferay Portal (v7.1.0 through v7.4.2) and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.

Metadata

Created: 2022-09-23T00:00:46Z
Modified: 2025-07-18T19:15:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-7r3w-wggm-pjwf/GHSA-7r3w-wggm-pjwf.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-7r3w-wggm-pjwf
Finding: F425
Auto approve: 1