Cross-Site Request Forgery in Liferay Portal's Layout Module SEO Configuration
CVE-2023-35030

8.8HIGH

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 15 June 2023

What is CVE-2023-35030?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the SEO configuration of the Layout module within Liferay Portal versions 7.4.3.70 to 7.4.3.76 and Liferay DXP 7.4 update 70 to 76. This flaw enables remote attackers to execute arbitrary code in the scripting console via the '_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL' parameter, potentially compromising the integrity and security of affected installations.

Affected Version(s)

DXP 7.4.13.u70 <= 7.4.13.u76

Portal 7.4.3.70 <= 7.4.3.76

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2023
Vulnerability Reserved
Jun 12, 2023

Credit

Henrik Bayer (NDIx)