CVE-2024-26271

Published Oct 22, 2024

Last updated 18 days ago

CVSS high 8.8

Overview

Description: Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.
Source: security@liferay.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-352
security@liferay.com: CWE-352

Hype score: Not currently trending

[CVE-2024-26271: HIGH] Critical CSRF vulnerability found in Liferay Portal 7.4.3.75-7.4.3.111 & DXP 2023.Q4.0-2023.Q4.2, allowing remote attackers to change passwords, shutdown server, execute code, & perform adm...#cybersecurity,#vulnerability https://t.co/z96ZrQTr9n htt
@CveFindCom
22 Oct 2024
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BB5558B0-6714-4B3A-B287-1943517A975A"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "294D8A56-A797-433C-A06E-106B2179151A"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "824D88D9-4645-4CAD-8CAB-30F27DD388C4"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F6E8C952-B455-46E4-AC3D-D38CAF189F60"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CD77C0EE-AC79-4443-A502-C1E02F806911"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "648EB53C-7A90-4DA6-BF1C-B5336CDE30C7"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "39835EF7-8E93-4695-973D-6E9B76C67372"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "865ABA1F-CA99-4602-B325-F81C9778855C"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1A13C2E9-9260-466E-9D98-0021CB2F41F8"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023:q3.5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "08FB7951-AEED-4B44-8504-ACA10D5B99B1"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023:q4.0:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B6C54C71-6885-475B-939B-CEC309579BBA"
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023:q4.2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4E4B4759-C7D4-4A33-B1B8-29869F60FEE3"
          },
          {
            "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FEDE37FB-83BC-41D6-94D7-DE087BC4FE14",
            "versionEndExcluding": "7.4.3.112",
            "versionStartIncluding": "7.4.3.75"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References