CVE-2022-42117 The Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6 and 7.4 before update 17 is vulnerable to XSS. This can be used to perform malicious activities.

This issue may occur in the following scenario: - A user browses to a malicious website and accesses a vulnerable Liferay Portal page. - The user visits a different website and accesses a vulnerable Liferay page. In this way, a remote attacker can inject arbitrary web script or HTML into the vulnerable site. In a different scenario, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. The following are the instructions to exploit this vulnerability. - Obtain the email address of a user from a malicious website. - Create a malicious email message in an email client and send it to the user. - The user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay Portal page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML

Exploitation Scenario br >

This issue may occur in the following scenario: - A user browses to a malicious website and accesses a vulnerable Liferay Portal page. - The user visits a different website and accesses a vulnerable Liferay page. In this way, a remote attacker can inject arbitrary web script or HTML into the vulnerable site. In a different scenario, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. - A user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure. The following are the instructions to exploit this vulnerability: - Obtain the email address of a user from a malicious website. - Create a malicious email message in an email client and send it to the user. - The user visits a malicious website and accesses a vulnerable Liferay DXP page. In this way, a remote attacker can inject arbitrary remote script or HTML into the vulnerable site. This may lead to information disclosure.

References ^^

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/20/2022 18:08:00 UTC

References

• http://liferay.com
• https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42117
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42117