A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.liferay.portal:release.portal.bom(Maven) | 7.3.7 | 7.4.0-ga1 | N/A |
| com.liferay.portal:release.dxp.bom(Maven) | 7.3.10.fp2 | 7.3.10.u4 | N/A |
| com.liferay:com.liferay.friendly.url.service(Maven) | 0 | 4.0.3 | N/A |
CVSS Metrics
