CVE-2024-26271
Essential information
- Published
- 22/10/2024 15:15
- Modified
- 30/10/2024 15:04
- Author
- —
- Creator
- —
- CVSS
- 8.8 HIGH (v3.1)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Privileges required
- NONE
- User interaction
- REQUIRED
- Scope
- UNCHANGED
- Confidentiality impact
- HIGH
- Integrity impact
- HIGH
- Availability impact
- HIGH
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.
NVD status
- Status
- Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:2023:q3.5:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:2023:q4.0:*:*:*:*:*:* |
| liferay / digital experience platform | cpe:2.3:a:liferay:digital_experience_platform:2023:q4.2:*:*:*:*:*:* |
| liferay / liferay portal | cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* |