CVE-2024-8980

The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:liferay:digital_experience_platform:6.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:2023:q3.4:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

History

30 Oct 2024, 14:46

Type Values Removed Values Added
References () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980 - () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980 - Vendor Advisory
First Time Liferay
Liferay liferay Portal
Liferay digital Experience Platform
CVSS v2 : unknown
v3 : 9.6
v2 : unknown
v3 : 6.1
CPE cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:2023:q3.4:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:6.2:-:*:*:*:*:*:*
cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:*

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) La consola de scripts en Liferay Portal 7.0.0 a 7.4.3.101, y Liferay DXP 2023.Q3.1 a 2023.Q3.4, 7.4 GA a la actualización 92, 7.3 GA a la actualización 35, 7.2 GA a través del fixpack 20, 7.1 GA a través del fixpack 28, 7.0 GA a través del fixpack 102 y 6.2 GA a través del fixpack 173 no protege lo suficiente contra ataques de Cross-Site Request Forgery (CSRF), que permiten a atacantes remotos ejecutar scripts de Groovy arbitrarios a través de una URL manipulada o una vulnerabilidad XSS.

22 Oct 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-22 15:15

Updated : 2024-10-30 14:46


NVD link : CVE-2024-8980

Mitre link : CVE-2024-8980

CVE.ORG link : CVE-2024-8980


JSON object : View

Products Affected

liferay

  • digital_experience_platform
  • liferay_portal
CWE
CWE-352

Cross-Site Request Forgery (CSRF)