WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay DXP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2022-42121)

Description

A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field.

Remediation

References

Related Vulnerabilities

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-2933)

WordPress Plugin Groups Multiple Cross-Site Scripting Vulnerabilities (1.8.0)

WordPress Plugin YITH Color and Label Variations for WooCommerce Security Bypass (1.8.11)

MySQL CVE-2013-5891 Vulnerability (CVE-2013-5891)

WordPress Plugin Booking.com Banner Creator Cross-Site Scripting (1.4.2)

Severity

High

Classification

CVE-2022-42121 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities