Description
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
Remediation
References
Related Vulnerabilities
MySQL CVE-2024-21129 Vulnerability (CVE-2024-21129)
WordPress Plugin MasterStudy LMS-for Online Courses and Education Information Disclosure (3.2.10)
WebLogic CVE-2023-21979 Vulnerability (CVE-2023-21979)
WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.24)
Liferay Portal Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-26265)