CVE-2022-28979 Liferay Portal versions 7.1.0 through 7.4.2, 7.2 before fix pack 15, and 7.3 before service pack 3 is vulnerable to XSS in the Custom Facet widget of the Portal Search module.

CVE-2018-5374 An arbitrary cross-site scripting (XSS) vulnerability has been reported in Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the portal_metadata_expansion parameter in a Search request.
Red Hat Enterprise Linux 6 was found to be vulnerable to a privilege escalation vulnerability due to the presence of unquoted user names in the web server's configuration. A remote attacker could leverage this vulnerability to escalate their privileges to root on the system.
Red Hat Enterprise Linux 6 was also found to be vulnerable to a cross-site scripting (XSS) vulnerability due to the presence of unquoted user names in the web server's configuration. A remote attacker could leverage this flaw to inject arbitrary web script or HTML via the server_name or server_hostname parameters.
Red Hat Enterprise Linux 6 was found to be vulnerable to a privilege escalation vulnerability due to the presence of unquoted user names in the web server's configuration. A remote attacker could leverage this flaw to escalate their privileges to root on the system. Red Hat Enterprise Linux 6 was also found to be vulnerable to a cross-site scripting (XSS) vulnerability due to the presence of unquoted user names in the web server's configuration.

Products Affected

The following versions of the software are affected:

Liferay Portal v7.1.0 through v7.4.2 (CVE-2018-5374)
Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 (CVE-2022-28979)

Affected Software:

Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3
Red Hat Enterprise Linux 6

Timeline

Published on: 09/22/2022 00:15:00 UTC
Last modified on: 09/23/2022 18:19:00 UTC

References