CVE-2024-8980 — Cross-Site Request Forgery in Digital Experience Platform

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

6.1MEDIUMNVD

CNA9.6

EPSS

0.4%

top 40.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedOct 22

Description

The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDliferay/liferay_portal7.0.0 — 7.0.6+4

▶CVEListV5liferay/portal7.0.0 — 7.4.3.101

▶NVDliferay/digital_experience_platform2023.q3.1 — 2023.q3.5+3

▶CVEListV5liferay/dxp6.2.0 — portal-173+6

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console↗2024-10-22

▶

CVEList

CVE-2024-8980: The Script Console in Liferay Portal 7↗2024-10-22

▶

OSV

Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console↗2024-10-22

▶