CVE-2023-35030

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.70 through 7.4.3.76 Liferay DXP 7.4 update 70 through 76

Description A cross-site request forgery (CSRF) issue in the Layout module's SEO configuration allows remote attackers to execute arbitrary code in the scripting console via the com liferay layout admin web portlet GroupPagesPortlet backURL parameter.

Recommendations For Liferay Portal versions 7.4.3.70 through 7.4.3.76, consider disabling the SEO configuration in the Layout module until a patch is available. For Liferay DXP 7.4 update 70 through 76, restrict access to the scripting console to minimize the risk of exploitation. Avoid using the com liferay layout admin web portlet GroupPagesPortlet backURL parameter in the affected API endpoint until the issue is resolved.