Cross-Site Request Forgery Vulnerability in Liferay Portal and DXP
CVE-2024-26272

8.8HIGH

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 22 October 2024

What is CVE-2024-26272?

A cross-site request forgery (CSRF) vulnerability impacts Liferay Portal and Liferay DXP, enabling remote attackers to exploit the p_l_back_url parameter. This flaw allows unauthorized actions such as altering user passwords, shutting down the server, and executing arbitrary code via the scripting console. Attackers can leverage this vulnerability across multiple affected versions, posing significant risks for users and system administrators.

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2024