CVE-2022-42116 The Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script.

This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. XSS can be caused by a malicious user, can be used to spy on the user. Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. XSS can be caused by a malicious user, can be used to spy on the user. Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject

Summary

Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.
XSS can be caused by a malicious user, can be used to spy on the user

Vulnerability and change

This change was made to address the XSS vulnerability found in the Frontend Editor module and addressed in Liferay Portal 7.5. The XSS vulnerability in the Frontend Editor module can be exploited by remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. XSS can be caused by a malicious user, can be used to spy on the user. Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter.

Overview of the Liferay CVE

The following are the names of the vulnerabilities that were fixed in Liferay Portal 7.5 -
CVE-2018-6533: XSS vulnerability in modules/lib/frontend_editor/html/form.jsp
CVE-2015-7770: XSS vulnerability in modules/app_server/system_jsr88.jsp
CVE-2016-5778: XSS vulnerability in modules/common/security_check.jsp
CVE-2017-10348: XSS vulnerability in modules/portal/_modalPopup.js

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 18:08:00 UTC

References

• https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42116
• http://liferay.com
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42116