Description

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.

Remediation

References

CVE-2022-42122

Related Vulnerabilities

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.16)

PHP Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2007-4782)

WordPress Plugin Ooorl Cross-Site Scripting (1.0.0)

Drupal Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2007-5593)

WordPress Plugin WP Human Resource Management Security Bypass (2.2.5)

Severity

Critical

Classification

CVE-2022-42122 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities