CVE-2022-42121 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.1.0 <7.1.10.fp27 || >=7.2.0 <7.2.10.fp17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00458 pctl0.63095

Details

Liferay Portal and Liferay DXP Vulnerable to SQL Injection via the Layout Module A SQL injection vulnerability in the Layout module before 4.0.17 from Liferay Portal (7.1.3 through 7.4.3.4), and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.

Metadata

Created: 2022-11-15T12:00:16Z
Modified: 2025-09-05T19:04:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-gxxj-fhmr-37j9/GHSA-gxxj-fhmr-37j9.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-gxxj-fhmr-37j9
Finding: F297
Auto approve: 1