CSRF Vulnerability in Liferay Portal and DXP Products
CVE-2024-26271

8.8HIGH

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 22 October 2024

What is CVE-2024-26271?

A cross-site request forgery (CSRF) vulnerability in the My Account widget of Liferay Portal and DXP versions allows remote attackers to execute dangerous actions without authorization. This vulnerability lets attackers change user passwords, shut down the server, execute arbitrary code in the scripting console, and conduct various other administrative actions through the misuse of the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. Users of affected versions should prioritize applying available security patches to mitigate potential risks.

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2024