CVE-2022-42113 is a Cross-site Scripting (XSS) vulnerability identified in the Document Library module of Liferay Portal versions 7.4.3.30 through 7.4.3.36 and Liferay DXP 7.4 update 30 through update 36. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML code via the 'redirect' parameter. The vulnerability arises due to insufficient input validation or sanitization of the 'redirect' parameter, which is reflected in the web application's response. When a victim user interacts with a crafted URL containing malicious script code in the 'redirect' parameter, the injected script executes in the context of the victim's browser session. This can lead to theft of session cookies, user impersonation, or other malicious actions that compromise confidentiality and integrity of user data. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack is network exploitable, requires no privileges, but does require user interaction (clicking a crafted link). The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component. The impact is limited to partial loss of confidentiality and integrity, with no impact on availability. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and could be targeted by attackers. No official patches or mitigation links are provided in the data, so organizations must verify vendor advisories for updates. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS.

For European organizations using Liferay Portal or Liferay DXP within the affected versions, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Since Liferay is widely used for enterprise content management, intranet portals, and customer-facing web applications, exploitation could lead to unauthorized access to sensitive information, session hijacking, or phishing attacks leveraging the trusted domain. The impact is particularly significant for organizations handling personal data under GDPR, as successful exploitation could result in data breaches and regulatory penalties. Additionally, the vulnerability could undermine user trust and damage organizational reputation. The requirement for user interaction means social engineering or phishing campaigns may be used to exploit this vulnerability. However, the lack of known active exploits reduces immediate risk, though the public disclosure increases the likelihood of future attacks. Organizations with public-facing Liferay portals are at higher risk compared to internal-only deployments.

1. Immediately verify with Liferay for official security patches or updates addressing CVE-2022-42113 and apply them promptly. 2. If patches are not yet available, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'redirect' parameter, focusing on script tags and suspicious input patterns. 3. Conduct input validation and output encoding on the 'redirect' parameter at the application level to neutralize potentially malicious scripts. 4. Educate users about phishing risks and suspicious links to reduce the chance of successful social engineering attacks exploiting this vulnerability. 5. Monitor web server and application logs for unusual requests containing suspicious 'redirect' parameter values. 6. Restrict the use of the 'redirect' parameter to a whitelist of safe URLs or domains to prevent arbitrary redirection and script injection. 7. Review and enhance Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the portal. 8. Regularly audit and test the portal for XSS and other injection vulnerabilities as part of the security program.