A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
References
Link | Resource |
---|---|
http://liferay.com | Vendor Advisory |
https://issues.liferay.com/browse/LPE-17513 | Issue Tracking Vendor Advisory |
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-11-15T00:00:00
Updated: 2022-11-15T00:00:00
Reserved: 2022-10-03T00:00:00
Link: CVE-2022-42120
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-11-15T01:15:12.733
Modified: 2022-11-17T14:50:42.357
Link: CVE-2022-42120
JSON object: View
Redhat Information
No data.
CWE