Security Listings

Liferay DXP 2023.Q3 Liferay DXP 2023.Q4 Liferay DXP 7.3 Liferay DXP 7.4 Liferay Portal 7.3 Liferay Portal 7.4

8.8

CVE-2024-26272 CSRF bypass related to `p_l_back_url` in content page editor

Description

Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal and Liferay DXP allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter.

Severity

8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.107
Liferay Portal 7.3.2 through 7.3.7
Liferay DXP 2023.Q4.0 through 2023.Q4.2
Liferay DXP 2023.Q3.1 through 2023.Q3.5
Liferay DXP 7.4
Liferay DXP 7.3 GA through Update 35

Fixed Version(s)

Liferay Portal 7.4.3.108
Liferay DXP 2024.Q1.1
Liferay DXP 2023.Q4.3
Liferay DXP 2023.Q3.6
Liferay DXP 7.3 Update 36

Acknowledgments

This issue was reported by NDIx

CVE-2024-26272

Publication Date:

september 12, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback