CVE-2024-26271

Published: Oct 22, 2024Modified: Dec 10, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.

Affected (25)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

25 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	From 2023.q3.1 to 2023.q3.6
Liferay Digital Experience Platform	From 2023.q4.0 to 2023.q4.3
Liferay Digital Experience Platform	Version 7.3 update32
Liferay Digital Experience Platform	Version 7.3 update33
Liferay Digital Experience Platform	Version 7.3 update34
Liferay Digital Experience Platform	Version 7.3 update35
Liferay Digital Experience Platform	Version 7.4 update75
Liferay Digital Experience Platform	Version 7.4 update76
Liferay Digital Experience Platform	Version 7.4 update77
Liferay Digital Experience Platform	Version 7.4 update78
Liferay Digital Experience Platform	Version 7.4 update79
Liferay Digital Experience Platform	Version 7.4 update80
Liferay Digital Experience Platform	Version 7.4 update81
Liferay Digital Experience Platform	Version 7.4 update82
Liferay Digital Experience Platform	Version 7.4 update83
Liferay Digital Experience Platform	Version 7.4 update84
Liferay Digital Experience Platform	Version 7.4 update85
Liferay Digital Experience Platform	Version 7.4 update86
Liferay Digital Experience Platform	Version 7.4 update87
Liferay Digital Experience Platform	Version 7.4 update88
Liferay Digital Experience Platform	Version 7.4 update89
Liferay Digital Experience Platform	Version 7.4 update90
Liferay Digital Experience Platform	Version 7.4 update91
Liferay Digital Experience Platform	Version 7.4 update92
Liferay Liferay Portal	From 7.4.3.75 to 7.4.3.112

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271

Source: security@liferay.com

Vendor Advisory

Timeline

No history available yet.