CVE-2024-26271

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.75 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay Portal 7.4 update 75 through update 92 Liferay Portal 7.3 update 32 through update 36

Description A cross-site request forgery (CSRF) vulnerability in the My Account widget allows remote attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the com liferay my account web portlet MyAccountPortlet backURL parameter.

Recommendations For Liferay Portal versions 7.4.3.75 through 7.4.3.111, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, update to a version outside of this range to mitigate the risk. For Liferay Portal 7.4 update 75 through update 92, update to a version outside of this range to mitigate the risk. For Liferay Portal 7.3 update 32 through update 36, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the My Account widget until a patch is available. Avoid using the com liferay my account web portlet MyAccountPortlet backURL parameter in the affected API endpoint until the issue is resolved.