CVE-2024-26273

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.103 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay DXP versions 7.4 GA through update 92 Liferay DXP versions 7.3 update 29 through update 35

Description A cross-site request forgery (CSRF) vulnerability in the content page editor allows remote attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the com liferay commerce catalog web internal portlet CommerceCatalogsPortlet redirect parameter.

Recommendations For Liferay Portal versions 7.4.0 through 7.4.3.103, update to the latest version. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, update to the latest version. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, update to the latest version. For Liferay DXP versions 7.4 GA through update 92, update to the latest version. For Liferay DXP versions 7.3 update 29 through update 35, update to the latest version. As a temporary workaround, consider restricting access to the com liferay commerce catalog web internal portlet CommerceCatalogsPortlet redirect parameter to minimize the risk of exploitation.