CVE-2024-26265 — Allocation of Resources Without Limits or Throttling in Digital Experience Platform

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.0

EPSS

0.7%

top 28.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedFeb 20

Description

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.16+1

▶CVEListV5liferay/portal7.2.0 — 7.4.3.15

▶NVDliferay/digital_experience_platform< 7.2+3

▶CVEListV5liferay/dxp7.4.13 — 7.4.13.u15+2

🔴Vulnerability Details

CVEList

CVE-2024-26265: The Image Uploader module in Liferay Portal 7↗2024-02-20

▶

OSV

Liferay Portal vulnerable to Denial of Service↗2024-02-20

▶

GHSA

Liferay Portal vulnerable to Denial of Service↗2024-02-20

▶