CVE-2022-42120
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
15/11/2022
Last modified:
05/09/2025
Description
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:dxp:7.4:-:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* | 7.3.3 (including) | 7.4.3.16 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://liferay.com
- https://issues.liferay.com/browse/LPE-17513
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120
- http://liferay.com
- https://issues.liferay.com/browse/LPE-17513
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120