CVE-2022-28982

Published: Sep 22, 2022Modified: May 27, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.

Affected (5)

Products: Liferay: Dxp, Liferay Portal

Liferay

2 products

Dxp

Liferay Portal

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Liferay Dxp	Version 7.3
Liferay Dxp	Version 7.3 sp1
Liferay Dxp	Version 7.3 sp2
Liferay Dxp	Version 7.3 sp3
Liferay Liferay Portal	From 7.3.3 to 7.4.3.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://liferay.com

Source: cve@mitre.org

Product

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E

Source: cve@mitre.org

Vendor Advisory

http://liferay.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28982-reflected-xss-with-tag-name-in-%253Cliferay-asset-asset-tags-selector%253E

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.