1+ {
2+ "schema_version" : " 1.4.0"
3+ "id" : " GHSA-7r3w-wggm-pjwf"
4+ "modified" : " 2025-07-18T19:15:03Z"
5+ "published" : " 2022-09-23T00:00:46Z"
6+ "aliases" : [
7+ " CVE-2022-28979"
8+ ],
9+ "summary" : " Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module"
10+ "details" : " In Search Web before v6.0.19 in Liferay Portal (v7.1.0 through v7.4.2) and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field."
11+ "severity" : [
12+ {
13+ "type" : " CVSS_V3"
14+ "score" : " CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
15+ }
16+ ],
17+ "affected" : [
18+ {
19+ "package" : {
20+ "ecosystem" : " Maven"
21+ "name" : " com.liferay:com.liferay.portal.search.web"
22+ },
23+ "ranges" : [
24+ {
25+ "type" : " ECOSYSTEM"
26+ "events" : [
27+ {
28+ "introduced" : " 0"
29+ },
30+ {
31+ "fixed" : " 6.0.19"
32+ }
33+ ]
34+ }
35+ ]
36+ },
37+ {
38+ "package" : {
39+ "ecosystem" : " Maven"
40+ "name" : " com.liferay.portal:release.dxp.bom"
41+ },
42+ "ranges" : [
43+ {
44+ "type" : " ECOSYSTEM"
45+ "events" : [
46+ {
47+ "introduced" : " 7.1.0"
48+ }
49+ ]
50+ }
51+ ],
52+ "database_specific" : {
53+ "last_known_affected_version_range" : " < 7.1.10.fp26"
54+ }
55+ },
56+ {
57+ "package" : {
58+ "ecosystem" : " Maven"
59+ "name" : " com.liferay.portal:release.dxp.bom"
60+ },
61+ "ranges" : [
62+ {
63+ "type" : " ECOSYSTEM"
64+ "events" : [
65+ {
66+ "introduced" : " 7.2.0"
67+ }
68+ ]
69+ }
70+ ],
71+ "database_specific" : {
72+ "last_known_affected_version_range" : " < 7.2.10.fp15"
73+ }
74+ }
75+ ],
76+ "references" : [
77+ {
78+ "type" : " ADVISORY"
79+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2022-28979"
80+ },
81+ {
82+ "type" : " WEB"
83+ "url" : " https://github.com/liferay/liferay-portal/commit/e18065248673c77927f4839439aa200bfb965ced"
84+ },
85+ {
86+ "type" : " PACKAGE"
87+ "url" : " https://github.com/liferay/liferay-portal"
88+ },
89+ {
90+ "type" : " WEB"
91+ "url" : " https://issues.liferay.com/browse/LPE-17381"
92+ },
93+ {
94+ "type" : " WEB"
95+ "url" : " https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28979-xss-in-custom-facet-widget?p_r_p_assetEntryId=121612377&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612377%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"
96+ },
97+ {
98+ "type" : " WEB"
99+ "url" : " https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28979-xss-in-custom-facet-widget"
100+ },
101+ {
102+ "type" : " WEB"
103+ "url" : " http://liferay.com"
104+ }
105+ ],
106+ "database_specific" : {
107+ "cwe_ids" : [
108+ " CWE-79"
109+ ],
110+ "severity" : " MODERATE"
111+ "github_reviewed" : true ,
112+ "github_reviewed_at" : " 2025-07-18T19:15:03Z"
113+ "nvd_published_at" : " 2022-09-22T00:15:00Z"
114+ }
115+ }
0 commit comments