CVE-2024-26272

22.10.2024, 15:15

Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Liferay	CNA	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
liferay	digital_experience_platform	2023.q3.1 ≤ 𝑥 < 2023.q3.6
liferay	digital_experience_platform	2023.q4.0 ≤ 𝑥 < 2023.q4.3
liferay	digital_experience_platform	7.3
liferay	digital_experience_platform	7.3:fix_pack_1
liferay	digital_experience_platform	7.3:fix_pack_2
liferay	digital_experience_platform	7.3:service_pack_1
liferay	digital_experience_platform	7.3:service_pack_3
liferay	digital_experience_platform	7.3:update10
liferay	digital_experience_platform	7.3:update11
liferay	digital_experience_platform	7.3:update12
liferay	digital_experience_platform	7.3:update13
liferay	digital_experience_platform	7.3:update14
liferay	digital_experience_platform	7.3:update15
liferay	digital_experience_platform	7.3:update16
liferay	digital_experience_platform	7.3:update17
liferay	digital_experience_platform	7.3:update18
liferay	digital_experience_platform	7.3:update19
liferay	digital_experience_platform	7.3:update20
liferay	digital_experience_platform	7.3:update21
liferay	digital_experience_platform	7.3:update22
liferay	digital_experience_platform	7.3:update23
liferay	digital_experience_platform	7.3:update24
liferay	digital_experience_platform	7.3:update25
liferay	digital_experience_platform	7.3:update26
liferay	digital_experience_platform	7.3:update27
liferay	digital_experience_platform	7.3:update28
liferay	digital_experience_platform	7.3:update29
liferay	digital_experience_platform	7.3:update30
liferay	digital_experience_platform	7.3:update31
liferay	digital_experience_platform	7.3:update32
liferay	digital_experience_platform	7.3:update33
liferay	digital_experience_platform	7.3:update34
liferay	digital_experience_platform	7.3:update35
liferay	digital_experience_platform	7.3:update4
liferay	digital_experience_platform	7.3:update5
liferay	digital_experience_platform	7.3:update6
liferay	digital_experience_platform	7.3:update7
liferay	digital_experience_platform	7.3:update8
liferay	digital_experience_platform	7.3:update9
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4:update1
liferay	digital_experience_platform	7.4:update10
liferay	digital_experience_platform	7.4:update11
liferay	digital_experience_platform	7.4:update12
liferay	digital_experience_platform	7.4:update13
liferay	digital_experience_platform	7.4:update14
liferay	digital_experience_platform	7.4:update15
liferay	digital_experience_platform	7.4:update16
liferay	digital_experience_platform	7.4:update17
liferay	digital_experience_platform	7.4:update18
liferay	digital_experience_platform	7.4:update19
liferay	digital_experience_platform	7.4:update2
liferay	digital_experience_platform	7.4:update20
liferay	digital_experience_platform	7.4:update21
liferay	digital_experience_platform	7.4:update22
liferay	digital_experience_platform	7.4:update23
liferay	digital_experience_platform	7.4:update24
liferay	digital_experience_platform	7.4:update25
liferay	digital_experience_platform	7.4:update26
liferay	digital_experience_platform	7.4:update27
liferay	digital_experience_platform	7.4:update28
liferay	digital_experience_platform	7.4:update29
liferay	digital_experience_platform	7.4:update3
liferay	digital_experience_platform	7.4:update30
liferay	digital_experience_platform	7.4:update31
liferay	digital_experience_platform	7.4:update32
liferay	digital_experience_platform	7.4:update33
liferay	digital_experience_platform	7.4:update34
liferay	digital_experience_platform	7.4:update35
liferay	digital_experience_platform	7.4:update36
liferay	digital_experience_platform	7.4:update37
liferay	digital_experience_platform	7.4:update38
liferay	digital_experience_platform	7.4:update39
liferay	digital_experience_platform	7.4:update4
liferay	digital_experience_platform	7.4:update40
liferay	digital_experience_platform	7.4:update41
liferay	digital_experience_platform	7.4:update42
liferay	digital_experience_platform	7.4:update43
liferay	digital_experience_platform	7.4:update44
liferay	digital_experience_platform	7.4:update45
liferay	digital_experience_platform	7.4:update46
liferay	digital_experience_platform	7.4:update47
liferay	digital_experience_platform	7.4:update48
liferay	digital_experience_platform	7.4:update49
liferay	digital_experience_platform	7.4:update5
liferay	digital_experience_platform	7.4:update50
liferay	digital_experience_platform	7.4:update51
liferay	digital_experience_platform	7.4:update52
liferay	digital_experience_platform	7.4:update53
liferay	digital_experience_platform	7.4:update54
liferay	digital_experience_platform	7.4:update55
liferay	digital_experience_platform	7.4:update56
liferay	digital_experience_platform	7.4:update57
liferay	digital_experience_platform	7.4:update58
liferay	digital_experience_platform	7.4:update59
liferay	digital_experience_platform	7.4:update6
liferay	digital_experience_platform	7.4:update60
liferay	digital_experience_platform	7.4:update61
liferay	digital_experience_platform	7.4:update62
liferay	digital_experience_platform	7.4:update63
liferay	digital_experience_platform	7.4:update64
liferay	digital_experience_platform	7.4:update65
liferay	digital_experience_platform	7.4:update66
liferay	digital_experience_platform	7.4:update67
liferay	digital_experience_platform	7.4:update68
liferay	digital_experience_platform	7.4:update69
liferay	digital_experience_platform	7.4:update7
liferay	digital_experience_platform	7.4:update70
liferay	digital_experience_platform	7.4:update71
liferay	digital_experience_platform	7.4:update72
liferay	digital_experience_platform	7.4:update73
liferay	digital_experience_platform	7.4:update74
liferay	digital_experience_platform	7.4:update75
liferay	digital_experience_platform	7.4:update76
liferay	digital_experience_platform	7.4:update77
liferay	digital_experience_platform	7.4:update78
liferay	digital_experience_platform	7.4:update79
liferay	digital_experience_platform	7.4:update8
liferay	digital_experience_platform	7.4:update80
liferay	digital_experience_platform	7.4:update81
liferay	digital_experience_platform	7.4:update82
liferay	digital_experience_platform	7.4:update83
liferay	digital_experience_platform	7.4:update84
liferay	digital_experience_platform	7.4:update85
liferay	digital_experience_platform	7.4:update86
liferay	digital_experience_platform	7.4:update87
liferay	digital_experience_platform	7.4:update88
liferay	digital_experience_platform	7.4:update89
liferay	digital_experience_platform	7.4:update9
liferay	digital_experience_platform	7.4:update90
liferay	digital_experience_platform	7.4:update91
liferay	digital_experience_platform	7.4:update92
liferay	liferay_portal	7.3.2 ≤ 𝑥 ≤ 7.3.7
liferay	liferay_portal	7.4.0 ≤ 𝑥 < 7.4.3.108

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26272