CVE-2022-42114 An XSS vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36 and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML.

This issue is due to insufficient sanitization of user input before placing it into the database. As a result, a user with administrative privileges can place arbitrary JavaScript into the database. An attacker would only need to trick a user into visiting a malicious URL in order to exploit this vulnerability. An attacker can also host a specially crafted website on a web server and use it to exploit this vulnerability. How Does This Vulnerability Happen? When you assign a role to a user, the system checks if the user has the required permissions for that role. If the user does not have the required permissions, it will notify the administrator with a warning message. If the administrator does not correct the issue, the system will block that user from accessing that role. We have found that if a user has not been assigned any roles, this prevents them from being blocked from accessing the system. This can be exploited by an attacker to trick a user into visiting a malicious website. Once the user has visited the malicious website, the attacker can assign that user any role. This can be done by an administrator with any role, as long as the user has the required permissions. How to Prevent XSS in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 Before Update 37? By default, all input fields in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.

Disabling XML External Entity (XXE) Injection in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 Before Update 37

In Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 Before Update 37, by default XML External Entity (XXE) injection is disabled in the Admin Console configuration file liferay-portal-xssfilter-configuration-file/conf/server_configuration_file_jbosspde_file (liferay-portal-xssfilter-configuration ) . In order to enable XML External Entity (XXE) injection in the Admin Console configuration file liferay-portal-xssfilter-configuration -file/conf/server_configuration_file_jbosspde_file (liferay-portal-xssfilter-configuration ), add the following line to the server configuration file:

Liferay v7.4.0 through v7.4.3

.36, and Liferay DXP 7.4 before Update 37 are prone to a vulnerability where malicious JavaScript can be injected into the database. An attacker would only need to trick a user into visiting a malicious URL in order to exploit this vulnerability. An attacker can also host a specially crafted website on a web server and use it to exploit this vulnerability.
An issue was identified with the Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before Update 37 by which users were able to place arbitrary JavaScript into the database using their administrative privileges without first sanitizing any user input as required by the application's whitelist/blacklist functionality for executing JavaScript in the database itself or within JSPs submitted from within views and pages of an application (CVE-2022-42114).

Step 1: Update Apache Web Server

If you are using Apache Web Server, update it to Apache 2.2 or later.

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 18:09:00 UTC

References