CVE-2024-26271

Summary

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.3.75 <= 7.4.3.111affected
LiferayDXP7.3.10-u32 <= 7.3.10-u35affected
LiferayDXP7.4.13-u75 <= 7.4.13-u92affected
LiferayDXP2023.Q3.1 <= 2023.Q3.5affected
LiferayDXP2023.Q4.0 <= 2023.Q4.2affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References