CVE-2024-8980

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 6.2 GA through fix pack 173 Liferay Portal versions 7.0 GA through fix pack 102 Liferay Portal versions 7.0.0 through 7.4.3.101 Liferay DXP versions 7.1 GA through fix pack 28 Liferay DXP versions 7.2 GA through fix pack 20 Liferay DXP versions 7.3 GA through update 35 Liferay DXP versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4

Description: The Script Console in Liferay Portal and Liferay DXP does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.

Recommendations: For Liferay Portal version 6.2 GA through fix pack 173, update to a version with the fix. For Liferay Portal version 7.0 GA through fix pack 102, update to a version with the fix. For Liferay Portal version 7.0.0 through 7.4.3.101, update to a version with the fix. For Liferay DXP version 7.1 GA through fix pack 28, update to a version with the fix. For Liferay DXP version 7.2 GA through fix pack 20, update to a version with the fix. For Liferay DXP version 7.3 GA through update 35, update to a version with the fix. For Liferay DXP version 7.4 GA through update 92, update to a version with the fix. For Liferay DXP version 2023.Q3.1 through 2023.Q3.4, update to a version with the fix. As a temporary workaround, consider disabling the Script Console until a patch is available.