The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173
does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
Metrics
Affected Vendors & Products
References
History
Wed, 30 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Liferay digital Experience Platform
Liferay liferay Portal |
|
CPEs | cpe:2.3:a:liferay:digital_experience_platform:2023:q3.1:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:2023:q3.4:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:6.2:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.0:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.1:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* |
|
Vendors & Products |
Liferay digital Experience Platform
Liferay liferay Portal |
Tue, 22 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Liferay
Liferay dxp Liferay portal |
|
CPEs | cpe:2.3:a:liferay:dxp:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:portal:*:*:*:*:*:*:*:* |
|
Vendors & Products |
Liferay
Liferay dxp Liferay portal |
|
Metrics |
ssvc
|
Tue, 22 Oct 2024 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. | |
Weaknesses | CWE-352 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Liferay
Published: 2024-10-22T14:43:04.606Z
Updated: 2024-10-22T15:08:48.472Z
Reserved: 2024-09-18T18:04:13.531Z
Link: CVE-2024-8980
Vulnrichment
Updated: 2024-10-22T15:08:23.556Z
NVD
Status : Analyzed
Published: 2024-10-22T15:15:07.337
Modified: 2024-10-30T14:46:14.127
Link: CVE-2024-8980
Redhat
No data.