CVE-2022-42122 : A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.

Published 2022-11-15 01:15:13

Updated 2022-11-17 15:00:24

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2022-42122

Liferay » Liferay Portal » Version: 7.3.7
cpe:2.3:a:liferay:liferay_portal:7.3.7:*:*:*:*:*:*:*
Matching versions
Liferay » DXP » Version: 7.3 Update Fix Pack 2
cpe:2.3:a:liferay:dxp:7.3:fix_pack_2:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2022-42122

Top countries where our scanners detected CVE-2022-42122

Top open port discovered on systems with this issue 80

IPs affected by CVE-2022-42122 5

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2022-42122!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2022-42122

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 43 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-42122

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-42122

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-42122

http://liferay.com

Digital Experience Software Tailored to Your Needs | Liferay
Vendor Advisory

CVEs referencing this url
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42122

CVE-2022-42122 SQL injection in friendly URL upgrade
Vendor Advisory
https://issues.liferay.com/browse/LPE-17520

[LPE-17520] LSV-1041: SQL injection in friendly URL upgrade - Liferay Issues
Issue Tracking;Vendor Advisory