Security Listings

9.6

CVE-2024-8980 Mitigate against simple XSS attacks against script console

Description

The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.

Severity

9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.101
Liferay Portal 7.3.0 through 7.3.7
Liferay Portal 7.2.0 through 7.2.1
Liferay Portal 7.1.0 through 7.1.3
Liferay Portal 7.0.0 through 7.0.6
Liferay DXP 2023.Q3.1 through 2023.Q3.4
Liferay DXP 7.4
Liferay DXP 7.3 GA through Update 35
Liferay DXP 7.2
Liferay DXP 7.1
Liferay DXP 7.0
Liferay DXP 6.2

Fixed Version(s)

Liferay Portal 7.4.3.102
Liferay DXP 2024.Q1.1
Liferay DXP 2023.Q4.0
Liferay DXP 2023.Q3.5
Liferay DXP 7.3 Update 36

CVE-2024-8980

Publication Date:

septiembre 18, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback