[LPE-17414] LSV-961: SQL injection vulnerability during page template upgrade - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.1 DXP (7.1.10)
Fix Version/s: 7.1.x EE
Component/s: None
Labels:

CVE IDs:
CVE-2022-42121
CVSS Base Score:
6.4
CVSS Vector String:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
7.1 Fix Pack Version:
27
7.2 Fix Pack Version:
17
7.3 Fix Pack Version:
3
7.4 Fix Pack Version:
1

Description

SQL injection vulnerability in the Layout module's page template upgrade process in Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. To exploit this vulnerability, the attacker must create a page template with a malicious name in Liferay DXP 7.1 before fix pack 11, and wait for the application to be upgraded.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 10/Nov/21 6:33 AM

Updated:: 18/Oct/22 8:12 PM

Resolved:: 13/Jul/22 3:14 PM

Packages

Version	Package
7.1.x EE