CVE-2024-26265

Summary

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the maxFileSize parameter.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.2.0 <= 7.4.3.15affected
LiferayDXP7.4.13 <= 7.4.13.u15affected
LiferayDXP7.3.10 <= 7.3.10-dxp-3affected
LiferayDXP7.2.10 <= 7.2.10-dxp-18affected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References