Description

Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.

Related CPE's

a

liferay

digital_experience_platform

41

a

liferay

dxp

4

a

liferay

liferay_portal

Vulnerable

References

http://liferay.com

Product

https://issues.liferay.com/browse/LPE-17381

Issue TrackingPatchVendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget

Vendor Advisory

http://liferay.com

Product

https://issues.liferay.com/browse/LPE-17381

Issue TrackingPatchVendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-79

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2022-09-21T22:15:09.880Z

3 years ago

Last modified

2025-05-27T18:15:22.780Z

9 months ago