CVE-2024-26271

EPSS 0.12%
Published 22.10.2024 15:15:05
Last modified 10.12.2024 21:07:04
Source security@liferay.com
Teams watchlist Login
Open Login

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Liferay ≫ Digital Experience Platform Version >= 2023.q3.1 < 2023.q3.6

Liferay ≫ Digital Experience Platform Version >= 2023.q4.0 < 2023.q4.3

Liferay ≫ Digital Experience Platform Version7.3 Updateupdate32

Liferay ≫ Digital Experience Platform Version7.3 Updateupdate33

Liferay ≫ Digital Experience Platform Version7.3 Updateupdate34

Liferay ≫ Digital Experience Platform Version7.3 Updateupdate35

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate75

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate76

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate77

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate78

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate79

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate80

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate81

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate82

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate83

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate84

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate85

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate86

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate87

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate88

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate89

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate90

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate91

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate92

Liferay ≫ Liferay Portal Version >= 7.4.3.75 < 7.4.3.112

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.321

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security@liferay.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-26271

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26271

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26271

EUVD