CSRF Vulnerability in Liferay Portal and DXP Products
CVE-2024-26271
8.8HIGH
Key Information:
- Vendor
Liferay
- Vendor
- CVE Published:
- 22 October 2024
What is CVE-2024-26271?
A cross-site request forgery (CSRF) vulnerability in the My Account widget of Liferay Portal and DXP versions allows remote attackers to execute dangerous actions without authorization. This vulnerability lets attackers change user passwords, shut down the server, execute arbitrary code in the scripting console, and conduct various other administrative actions through the misuse of the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. Users of affected versions should prioritize applying available security patches to mitigate potential risks.