CVE-2024-26271 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2024-26271

Analyzed

More Info Official Page

Source-security@liferay.com

Published At-22 Oct, 2024 | 15:15

Updated At-10 Dec, 2024 | 21:07

Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CPE Matches

>>digital_experience_platform>>Versions from 2023.q3.1(inclusive) to 2023.q3.6(exclusive)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*

>>digital_experience_platform>>Versions from 2023.q4.0(inclusive) to 2023.q4.3(exclusive)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*

>>digital_experience_platform>>7.3

cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*

>>digital_experience_platform>>7.3

cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*

>>digital_experience_platform>>7.3

cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*

>>digital_experience_platform>>7.3

cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*

>>liferay_portal>>Versions from 7.4.3.75(inclusive) to 7.4.3.112(exclusive)

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-352	Secondary	security@liferay.com
CWE-352	Primary	nvd@nist.gov

References

Hyperlink	Source	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271	security@liferay.com	Vendor Advisory