CVE-2022-42118 is a Cross-site Scripting (XSS) vulnerability found in Liferay Portal's Search module, which may seriously compromise the security of web applications built with Liferay. In this post, I’ll break down what CVE-2022-42118 is, which Liferay versions are affected, how the exploit works, what the code looks like in real life, and where you can learn more or patch your platform.
What Is CVE-2022-42118?
CVE-2022-42118 is a classic reflected XSS vulnerability. It lives in the Portal Search module, affecting both open-source Liferay Portal 7.1. through 7.4.2 and commercial Liferay DXP versions:
DXP 7.3 before service pack 3
Using this bug, an attacker can inject malicious JavaScript or HTML into the page by manipulating the tag parameter in a search request. When an admin, user, or visitor clicks or follows a crafted link, the script executes in their browser.
User Visits Malicious Link: The attacker sends a crafted URL to a victim.
2. Server Unfilteredly Returns Input: Input from the tag parameter is returned in the response page without proper filtering.
3. JavaScript Executes in Browser: If the victim clicks the link, JavaScript executes in the context of the Liferay site—they are now targets.
Example of a malicious URL
https://example.com/search/tag?tag=<script>alert('XSS')</script>;
The above URL would pop up an alert box on someone’s screen. With a real attack, this could be a script that sends your session cookie to the attacker instead.
A simplified representation of the problematic backend code might look like this
// Very simplified for illustration:
String tag = request.getParameter("tag"); // Unsafe
out.println("<div>" + tag + "</div>"); // Unsafely outputs user's input
Here, whatever is in tag gets dropped into the page raw—no escaping or validation.
In a real Liferay JSP, this could look like
<%= request.getParameter("tag") %>
If you pass <script>alert('XSS')</script>, this will inject a script tag right in the HTML.
Safer code would use HTML escaping
<%= HtmlUtil.escape(request.getParameter("tag")) %>
Here’s how you test for this bug (only on systems you own or have permission to test!)
1. Browse to the vulnerable search/tag endpoint.
Manually add your script payload to the tag parameter
https://your-liferay-site/search/tag?tag=<img src=x onerror=alert('xss')>
How to Patch CVE-2022-42118
Liferay fixed this bug by escaping user input before placing it in the DOM. If you’re running any of the affected versions, upgrade immediately:
DXP 7.3: Service Pack 3+
- See official Liferay Patch Information (official blog post)
Also, if you have custom code using user-supplied parameters, always wrap output with HtmlUtil.escape() or Liferay’s built-in safe output methods.
References and Links
- Liferay Official CVE Advisory
- NVD CVE-2022-42118 Details
- Liferay DXP Security Fix Packs
Summary
CVE-2022-42118 made it easy for attackers to trigger XSS via the tag search feature in Liferay Portal up to 7.4.2 and earlier Liferay DXP fixpacks. Fixing it is simply a matter of patching, but it’s a huge reminder: Always escape what users send you!
If you manage a Liferay install, patch now and review your code. XSS is easy to exploit, but also easy to prevent—if you know where to look.
Want a deeper technical walk-through? Have questions about your configuration? Drop them in the comments or message me directly. Stay safe and patch often!
Timeline
Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 14:42:00 UTC