Cross-Site Request Forgery in Liferay Portal's Layout Module SEO Configuration
CVE-2023-35030

8.8HIGH

Key Information:

Vendor

Liferay

Status
Vendor
CVE Published:
15 June 2023

What is CVE-2023-35030?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the SEO configuration of the Layout module within Liferay Portal versions 7.4.3.70 to 7.4.3.76 and Liferay DXP 7.4 update 70 to 76. This flaw enables remote attackers to execute arbitrary code in the scripting console via the '_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL' parameter, potentially compromising the integrity and security of affected installations.

Affected Version(s)

DXP 7.4.13.u70 <= 7.4.13.u76

Portal 7.4.3.70 <= 7.4.3.76

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Henrik Bayer (NDIx)
.