CVE-2024-26271

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-26271

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26271.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-26271

Aliases

GHSA-6c4v-x9v2-rjm8

Published

2024-10-22T15:15:05.523Z

Modified

2025-11-19T17:34:26.398250Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the comliferaymyaccountwebportletMyAccountPortletbackURL parameter.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Introduced

486fa2d52f481ac5c99e594fb8ae4c02fb1be8d7

Fixed

b8c35409971bf2f43bb7e28bd1638daab05ce6fa