GHSA-6c4v-x9v2-rjm8

Source

https://github.com/advisories/GHSA-6c4v-x9v2-rjm8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-6c4v-x9v2-rjm8/GHSA-6c4v-x9v2-rjm8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6c4v-x9v2-rjm8

Aliases

CVE-2024-26271

Published

2024-10-22T18:32:11Z

Modified

2025-04-28T20:42:13.524388Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the My Account Widget

Details

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the comliferaymyaccountwebportletMyAccountPortletbackURL parameter.

Database specific

{
    "nvd_published_at": "2024-10-22T15:15:05Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-28T19:28:04Z"
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.3.75

Fixed

7.4.3.112

Affected versions

7.*

7.4.3.75

7.4.3.76

7.4.3.77

7.4.3.78

7.4.3.79

7.4.3.80

7.4.3.81

7.4.3.82

7.4.3.83

7.4.3.84

7.4.3.85

7.4.3.85-ga85

7.4.3.86

7.4.3.87

7.4.3.88

7.4.3.89

7.4.3.90

7.4.3.91

7.4.3.92

7.4.3.93

7.4.3.94

7.4.3.95

7.4.3.95-1

7.4.3.96

7.4.3.97

7.4.3.98

7.4.3.99

7.4.3.100

7.4.3.101

7.4.3.102

7.4.3.103

7.4.3.104

7.4.3.105

7.4.3.106

7.4.3.107

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2023.Q4.0

Fixed

2023.Q4.3

Affected versions

2023.*

2023.q4.0

2023.q4.1

2023.q4.2

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2023.Q3.1

Fixed

2023.Q3.6

Affected versions

2023.*

2023.q3.1

2023.q3.2

2023.q3.3

2023.q3.4

2023.q3.5

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3u32

Fixed

7.3u37

Database specific

{
    "last_known_affected_version_range": "<= 7.3u36"
}

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4u75

Fixed

7.4u93

Database specific

{
    "last_known_affected_version_range": "<= 7.4u92"
}