Liferay Portal denial-of-service vulnerability

2024-02-0806:30:23

CWE-834

GitHub Advisory Database

github.com

iframe widget

remote authenticated users

dos

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.4%

JSON

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

Affected configurations

Vulners

Node

github_advisory_databasecom.liferay.portal\Matchrelease.dxp.bom

github_advisory_databasecom.liferay.portal\Matchrelease.portal.bom

CPENameOperatorVersion
com.liferay.portal:release.dxp.bomlt7.4.13.u27
com.liferay.portal:release.dxp.bomlt7.3.10.u6
com.liferay.portal:release.dxp.bomlt7.2.10.fp19
com.liferay.portal:release.portal.bomlt7.4.3.27

Name	Operator	Version
com.liferay.portal:release.dxp.bom	lt	7.4.13.u27
com.liferay.portal:release.dxp.bom	lt	7.3.10.u6
com.liferay.portal:release.dxp.bom	lt	7.2.10.fp19
com.liferay.portal:release.portal.bom	lt	7.4.3.27