CVE-2024-26271

22.10.2024, 15:15

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Liferay	CNA	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 32%

Vendor	Product	Version
liferay	digital_experience_platform	2023.q3.1 ≤ 𝑥 < 2023.q3.6
liferay	digital_experience_platform	2023.q4.0 ≤ 𝑥 < 2023.q4.3
liferay	digital_experience_platform	7.3:update32
liferay	digital_experience_platform	7.3:update33
liferay	digital_experience_platform	7.3:update34
liferay	digital_experience_platform	7.3:update35
liferay	digital_experience_platform	7.4:update75
liferay	digital_experience_platform	7.4:update76
liferay	digital_experience_platform	7.4:update77
liferay	digital_experience_platform	7.4:update78
liferay	digital_experience_platform	7.4:update79
liferay	digital_experience_platform	7.4:update80
liferay	digital_experience_platform	7.4:update81
liferay	digital_experience_platform	7.4:update82
liferay	digital_experience_platform	7.4:update83
liferay	digital_experience_platform	7.4:update84
liferay	digital_experience_platform	7.4:update85
liferay	digital_experience_platform	7.4:update86
liferay	digital_experience_platform	7.4:update87
liferay	digital_experience_platform	7.4:update88
liferay	digital_experience_platform	7.4:update89
liferay	digital_experience_platform	7.4:update90
liferay	digital_experience_platform	7.4:update91
liferay	digital_experience_platform	7.4:update92
liferay	liferay_portal	7.4.3.75 ≤ 𝑥 < 7.4.3.112

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271