CVE-2022-42118: 
Java vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in the Portal Search module's Tag Facet widget in Liferay Portal versions 7.1.0 through 7.4.2. The vulnerability, identified as CVE-2022-42118, was disclosed on October 19, 2022, and affects multiple versions of Liferay Portal and Liferay DXP platforms (Liferay Security, CVE Details).

The vulnerability exists in the Portal Search module where the process does not properly validate user-supplied data in the 'tag' parameter, allowing injection of arbitrary web script or HTML. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating moderate severity with network attack vector, low attack complexity, and no privileges required (Liferay Security).

The vulnerability allows remote attackers to inject malicious web scripts or HTML through the application's search functionality. This could potentially lead to the execution of unauthorized scripts in users' browsers, potentially compromising confidentiality and integrity of user data (Liferay Security).

A fix has been released in Liferay Portal version 7.4.3.4. For Liferay Portal versions 7.1, 7.2, and 7.3, no direct fixes are available, and users are advised to upgrade to Liferay Portal 7.4. For Liferay DXP users, fixes are available in version 7.1 fix pack 27, 7.2 fix pack 15, and 7.3 service pack 3 (Liferay Security).