{"id":"GHSA-7m65-hmvg-rxpc","summary":"Liferay Portal and Liferay DXP Vulnerable to XSS in the Site Module","details":"Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Site Memberships Web before 5.0.10 from Liferay Portal (7.0.1 through 7.4.1), and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.","aliases":["CVE-2022-28978"],"modified":"2025-07-16T15:42:16.801706Z","published":"2022-09-23T00:00:46Z","database_specific":{"github_reviewed_at":"2025-07-16T14:52:02Z","nvd_published_at":"2022-09-22T00:15:00Z","severity":"MODERATE","cwe_ids":["CWE-79"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28978"},{"type":"WEB","url":"https://github.com/liferay/liferay-portal/commit/ffdc9d1f8abf484598afdc51671a30533740c16d"},{"type":"PACKAGE","url":"https://github.com/liferay/liferay-portal"},{"type":"WEB","url":"https://liferay.atlassian.net/browse/LPE-17332"},{"type":"WEB","url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership?p_r_p_assetEntryId=121612301&_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612301%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"},{"type":"WEB","url":"https://web.archive.org/web/20220922015759/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28978-stored-xss-with-user-name-in-site-membership"},{"type":"WEB","url":"http://liferay.com"}],"affected":[{"package":{"name":"com.liferay:com.liferay.site.memberships.web","ecosystem":"Maven","purl":"pkg:maven/com.liferay/com.liferay.site.memberships.web"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.0.10"}]}],"versions":["1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.3","1.0.30","1.0.31","1.0.32","1.0.33","1.0.34","1.0.35","1.0.36","1.0.37","1.0.38","1.0.39","1.0.4","1.0.40","1.0.41","1.0.42","1.0.43","1.0.44","1.0.45","1.0.46","1.0.47","1.0.48","1.0.49","1.0.5","1.0.50","1.0.51","1.0.52","1.0.53","1.0.54","1.0.55","1.0.56","1.0.57","1.0.58","1.0.59","1.0.6","1.0.60","1.0.61","1.0.62","1.0.63","1.0.64","1.0.65","1.0.66","1.0.67","1.0.68","1.0.69","1.0.7","1.0.70","1.0.71","1.0.72","1.0.73","1.0.74","1.0.75","1.0.76","1.0.77","1.0.78","1.0.79","1.0.8","1.0.80","1.0.81","1.0.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.14","2.0.15","2.0.16","2.0.17","2.0.18","2.0.19","2.0.2","2.0.20","2.0.21","2.0.22","2.0.23","2.0.24","2.0.25","2.0.26","2.0.27","2.0.28","2.0.29","2.0.3","2.0.30","2.0.31","2.0.32","2.0.33","2.0.34","2.0.35","2.0.36","2.0.37","2.0.38","2.0.39","2.0.4","2.0.40","2.0.41","2.0.42","2.0.43","2.0.44","2.0.45","2.0.46","2.0.47","2.0.48","2.0.49","2.0.5","2.0.50","2.0.51","2.0.52","2.0.53","2.0.54","2.0.55","2.0.56","2.0.57","2.0.58","2.0.59","2.0.6","2.0.60","2.0.61","2.0.62","2.0.7","2.0.8","2.0.9","3.0.0","3.0.1","3.0.10","3.0.11","3.0.12","3.0.13","3.0.14","3.0.15","3.0.16","3.0.17","3.0.18","3.0.19","3.0.2","3.0.20","3.0.21","3.0.22","3.0.23","3.0.24","3.0.25","3.0.26","3.0.27","3.0.28","3.0.29","3.0.3","3.0.30","3.0.31","3.0.32","3.0.33","3.0.34","3.0.35","3.0.36","3.0.37","3.0.38","3.0.39","3.0.4","3.0.40","3.0.41","3.0.42","3.0.43","3.0.44","3.0.45","3.0.46","3.0.47","3.0.48","3.0.49","3.0.5","3.0.50","3.0.51","3.0.52","3.0.53","3.0.54","3.0.55","3.0.56","3.0.57","3.0.58","3.0.59","3.0.6","3.0.60","3.0.61","3.0.62","3.0.63","3.0.64","3.0.7","3.0.8","3.0.9","4.0.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.17","4.0.18","4.0.19","4.0.2","4.0.20","4.0.21","4.0.22","4.0.23","4.0.24","4.0.25","4.0.26","4.0.27","4.0.28","4.0.29","4.0.3","4.0.30","4.0.31","4.0.32","4.0.33","4.0.34","4.0.35","4.0.36","4.0.37","4.0.38","4.0.39","4.0.4","4.0.40","4.0.41","4.0.42","4.0.43","4.0.44","4.0.45","4.0.46","4.0.47","4.0.48","4.0.49","4.0.5","4.0.50","4.0.51","4.0.52","4.0.53","4.0.54","4.0.55","4.0.56","4.0.57","4.0.6","4.0.7","4.0.8","4.0.9","5.0.0","5.0.1","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.0.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-7m65-hmvg-rxpc/GHSA-7m65-hmvg-rxpc.json"}},{"package":{"name":"com.liferay.portal:release.dxp.bom","ecosystem":"Maven","purl":"pkg:maven/com.liferay.portal/release.dxp.bom"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0"},{"fixed":"7.0.10.fp102"}]}],"versions":["7.0.10.fp100","7.0.10.fp101","7.0.10.fp60","7.0.10.fp61","7.0.10.fp62","7.0.10.fp63","7.0.10.fp64","7.0.10.fp65","7.0.10.fp66","7.0.10.fp67","7.0.10.fp68","7.0.10.fp69","7.0.10.fp70","7.0.10.fp71","7.0.10.fp72","7.0.10.fp73","7.0.10.fp74","7.0.10.fp75","7.0.10.fp76","7.0.10.fp77","7.0.10.fp78","7.0.10.fp79","7.0.10.fp80","7.0.10.fp81","7.0.10.fp82","7.0.10.fp83","7.0.10.fp84","7.0.10.fp85","7.0.10.fp85-1","7.0.10.fp86","7.0.10.fp86-1","7.0.10.fp87","7.0.10.fp87-1","7.0.10.fp88","7.0.10.fp89","7.0.10.fp90","7.0.10.fp91","7.0.10.fp92","7.0.10.fp94","7.0.10.fp94-1","7.0.10.fp95","7.0.10.fp95-1","7.0.10.fp95-2","7.0.10.fp97","7.0.10.fp98"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-7m65-hmvg-rxpc/GHSA-7m65-hmvg-rxpc.json"}},{"package":{"name":"com.liferay.portal:release.dxp.bom","ecosystem":"Maven","purl":"pkg:maven/com.liferay.portal/release.dxp.bom"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.1.0"},{"fixed":"7.1.10.fp26"}]}],"versions":["7.1.10","7.1.10.fp1","7.1.10.fp10","7.1.10.fp11","7.1.10.fp12","7.1.10.fp13","7.1.10.fp14","7.1.10.fp15","7.1.10.fp16","7.1.10.fp17","7.1.10.fp18","7.1.10.fp19","7.1.10.fp2","7.1.10.fp20","7.1.10.fp22","7.1.10.fp24","7.1.10.fp25","7.1.10.fp3","7.1.10.fp4","7.1.10.fp5","7.1.10.fp6","7.1.10.fp7","7.1.10.fp8","7.1.10.fp9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-7m65-hmvg-rxpc/GHSA-7m65-hmvg-rxpc.json"}},{"package":{"name":"com.liferay.portal:release.dxp.bom","ecosystem":"Maven","purl":"pkg:maven/com.liferay.portal/release.dxp.bom"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.2.0"},{"fixed":"7.2.10.fp15"}]}],"versions":["7.2.1","7.2.10","7.2.10.fp1","7.2.10.fp1-1","7.2.10.fp10","7.2.10.fp11","7.2.10.fp12","7.2.10.fp13","7.2.10.fp14","7.2.10.fp2","7.2.10.fp3","7.2.10.fp4","7.2.10.fp5","7.2.10.fp6","7.2.10.fp7","7.2.10.fp8","7.2.10.fp9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-7m65-hmvg-rxpc/GHSA-7m65-hmvg-rxpc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}