CVE-2022-42118 is a Cross-site Scripting (XSS) vulnerability identified in the Portal Search module of Liferay Portal versions 7.1.0 through 7.4.2, as well as Liferay DXP versions 7.1 (before fix pack 27), 7.2 (before fix pack 15), and 7.3 (before service pack 3). The vulnerability arises due to insufficient sanitization of the `tag` parameter, which allows remote attackers to inject arbitrary web scripts or HTML content. When a victim user interacts with a crafted URL or input containing malicious scripts in the vulnerable parameter, the injected code executes in the context of the victim’s browser session. This can lead to theft of session cookies, user impersonation, or manipulation of displayed content. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based (remote), requires no privileges, but does require user interaction (clicking or visiting a malicious link). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component, and the impact on confidentiality and integrity is low, with no impact on availability. No known exploits in the wild have been reported to date. The vulnerability affects multiple versions of Liferay Portal and DXP, which are widely used enterprise portal platforms for building websites, intranets, and digital experience platforms.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk primarily to web application users and administrators. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, or phishing attacks leveraging the trusted portal interface. This can compromise sensitive corporate information, user credentials, and internal communications. Organizations in sectors such as government, finance, healthcare, and education that rely on Liferay for their public-facing or internal portals may face reputational damage and regulatory scrutiny under GDPR if personal data is exposed or manipulated. Although the vulnerability does not directly impact system availability, the integrity and confidentiality of user sessions and data are at risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high user traffic or where social engineering can be employed. Given the widespread use of Liferay in Europe, the vulnerability could be leveraged in targeted attacks against critical infrastructure or high-value organizations.

To mitigate this vulnerability, European organizations should prioritize applying the official Liferay fix packs: fix pack 27 for Liferay DXP 7.1, fix pack 15 for 7.2, and service pack 3 for 7.3, or upgrade to Liferay Portal versions beyond 7.4.2 where the issue is resolved. In the absence of immediate patching, organizations should implement strict input validation and output encoding on the `tag` parameter at the web application firewall (WAF) or reverse proxy level to block or sanitize malicious payloads. Deploying Content Security Policy (CSP) headers can help restrict the execution of injected scripts. Additionally, user awareness training to recognize suspicious links and phishing attempts can reduce the likelihood of successful exploitation. Regular security assessments and penetration testing focused on web application vulnerabilities should be conducted to detect similar injection points. Monitoring web server logs for unusual requests containing suspicious `tag` parameter values can aid in early detection of exploitation attempts. Finally, organizations should review and limit the exposure of the Portal Search module to only trusted users or networks where feasible.