CVE-2024-8980

{"id": "CVE-2024-8980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@liferay.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2024-10-22T15:15:07.337", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980", "tags": ["Vendor Advisory"], "source": "security@liferay.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Secondary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173\n does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability."}, {"lang": "es", "value": "La consola de scripts en Liferay Portal 7.0.0 a 7.4.3.101, y Liferay DXP 2023.Q3.1 a 2023.Q3.4, 7.4 GA a la actualizaci\u00f3n 92, 7.3 GA a la actualizaci\u00f3n 35, 7.2 GA a trav\u00e9s del fixpack 20, 7.1 GA a trav\u00e9s del fixpack 28, 7.0 GA a trav\u00e9s del fixpack 102 y 6.2 GA a trav\u00e9s del fixpack 173 no protege lo suficiente contra ataques de Cross-Site Request Forgery (CSRF), que permiten a atacantes remotos ejecutar scripts de Groovy arbitrarios a trav\u00e9s de una URL manipulada o una vulnerabilidad XSS."}], "lastModified": "2024-10-30T14:46:14.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:6.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BFA6FB8-865E-4C8B-B0CF-CB3C47C18DD3"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4614C87F-F39C-4ADD-A7A2-4A498612AD38"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27DF695E-B890-42C2-8941-5BB53154755F"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DCF7F39-A198-4F7E-84B7-90C88C1BAA96"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A13C2E9-9260-466E-9D98-0021CB2F41F8"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023:q3.4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "951E7698-7E66-4671-84E9-7A7B0FB15B23"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7471D27F-6FDF-4214-9DAF-CC68CE6DB80D", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74992E49-BDF7-4AE0-A1F1-A2DD59ED6F2D", "versionEndExcluding": "7.1.3", "versionStartIncluding": "7.1.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7CAF8FC-6334-48FD-A3E0-83EE307A5210", "versionEndIncluding": "7.2.1", "versionStartIncluding": "7.2.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13F59EAA-9EC8-44CC-8F56-BC26981F584F", "versionEndIncluding": "7.3.7", "versionStartIncluding": "7.3.0"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79CB407F-11CB-45E9-AE4D-5926AE59EA0F", "versionEndExcluding": "7.4.3.102", "versionStartIncluding": "7.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@liferay.com"}