CVE-2024-26265

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.15 Liferay DXP 7.4 before update 16 Liferay DXP 7.3 before update 4 Liferay DXP 7.2 before fix pack 19

Description The Image Uploader module relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the maxFileSize parameter.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.15, update to a version that includes the fix for this issue. For Liferay DXP 7.4 before update 16, apply update 16 to resolve the issue. For Liferay DXP 7.3 before update 4, apply update 4 to resolve the issue. For Liferay DXP 7.2 before fix pack 19, apply fix pack 19 to resolve the issue. As a temporary workaround, consider restricting access to the Image Uploader module until a patch is available. Avoid using the maxFileSize parameter in the affected module until the issue is resolved.