CVE-2024-26272

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.4.3.107 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay DXP 7.4 GA through update 92 Liferay DXP 7.3 GA through update 35

Description A cross-site request forgery (CSRF) vulnerability in the content page editor allows remote attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the p l back url parameter.

Recommendations For Liferay Portal versions 7.3.2 through 7.4.3.107, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, update to a version outside of this range to mitigate the risk. For Liferay DXP 7.4 GA through update 92, apply update 93 or later to mitigate the risk. For Liferay DXP 7.3 GA through update 35, apply update 36 or later to mitigate the risk. As a temporary workaround, consider restricting access to the p l back url parameter in the content page editor until a patch is available.