A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title
field of a friendly URL.
{ "nvd_published_at": "2022-11-15T01:15:00Z", "severity": "CRITICAL", "github_reviewed_at": "2025-07-16T17:36:25Z", "github_reviewed": true, "cwe_ids": [ "CWE-89" ] }