CVE-2024-26271

🗓️ 22 Oct 2024 14:06:16Reported by LiferayType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 65 Views

Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.3.75 to 7.4.3.111 and Liferay DXP 2023.Q4.0 to 2023.Q4.2 allows remote attackers to change user passwords, shut down the server, execute arbitrary code, and perform other administrative actions

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2024-26271	22 Oct 202417:57	–	circl
CNNVD	Liferay Portal和Liferay DXP 跨站请求伪造漏洞	22 Oct 202400:00	–	cnnvd
Cvelist	CVE-2024-26271	22 Oct 202414:06	–	cvelist
EUVD	EUVD-2024-23543	3 Oct 202520:07	–	euvd
Github Security Blog	Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the My Account Widget	22 Oct 202418:32	–	github
Tenable Nessus	Liferay Portal 7.4.3.75 < 7.4.3.112 CSRF	13 Dec 202400:00	–	nessus
NVD	CVE-2024-26271	22 Oct 202415:15	–	nvd
OSV	CVE-2024-26271	22 Oct 202415:15	–	osv
OSV	GHSA-6C4V-X9V2-RJM8 Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery (CSRF) via the My Account Widget	22 Oct 202418:32	–	osv
Positive Technologies	PT-2024-21324 · Liferay · Liferay Dxp +1	22 Oct 202400:00	–	ptsecurity

NVD

Vulners

Vulnrichment

Node

liferay digital_experience_platformRange2023.q3.1–2023.q3.6

liferay digital_experience_platformRange2023.q4.0–2023.q4.3

liferay digital_experience_platformMatch7.3update32

liferay digital_experience_platformMatch7.3update33

liferay digital_experience_platformMatch7.3update34

liferay digital_experience_platformMatch7.3update35

liferay digital_experience_platformMatch7.4update75

liferay digital_experience_platformMatch7.4update76

liferay digital_experience_platformMatch7.4update77

liferay digital_experience_platformMatch7.4update78

liferay digital_experience_platformMatch7.4update79

liferay digital_experience_platformMatch7.4update80

liferay digital_experience_platformMatch7.4update81

liferay digital_experience_platformMatch7.4update82

liferay digital_experience_platformMatch7.4update83

liferay digital_experience_platformMatch7.4update84

liferay digital_experience_platformMatch7.4update85

liferay digital_experience_platformMatch7.4update86

liferay digital_experience_platformMatch7.4update87

liferay digital_experience_platformMatch7.4update88

liferay digital_experience_platformMatch7.4update89

liferay digital_experience_platformMatch7.4update90

liferay digital_experience_platformMatch7.4update91

liferay digital_experience_platformMatch7.4update92

liferay liferay_portalRange7.4.3.75–7.4.3.112

[
  {
    "defaultStatus": "unaffected",
    "product": "Portal",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.3.111",
        "status": "affected",
        "version": "7.4.3.75",
        "versionType": "maven"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "DXP",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.3.10-u35",
        "status": "affected",
        "version": "7.3.10-u32",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "7.4.13-u92",
        "status": "affected",
        "version": "7.4.13-u75",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "2023.Q3.5",
        "status": "affected",
        "version": "2023.Q3.1",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "2023.Q4.2",
        "status": "affected",
        "version": "2023.Q4.0",
        "versionType": "maven"
      }
    ]
  }
]

Source	Link
liferay	www.liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271

10 Dec 2024 21:07Current

9High risk

Vulners AI Score9

CVSS 3.18.8

EPSS0.02193

SSVC

CWE-352