The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173
does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
30 Oct 2024, 14:46
Type | Values Removed | Values Added |
---|---|---|
References | () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980 - Vendor Advisory | |
First Time |
Liferay
Liferay liferay Portal Liferay digital Experience Platform |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CPE | cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:2023:q3.4:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:6.2:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:* |
23 Oct 2024, 15:12
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
22 Oct 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-22 15:15
Updated : 2024-10-30 14:46
NVD link : CVE-2024-8980
Mitre link : CVE-2024-8980
CVE.ORG link : CVE-2024-8980
JSON object : View
Products Affected
liferay
- digital_experience_platform
- liferay_portal
CWE
CWE-352
Cross-Site Request Forgery (CSRF)