Description

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.

Remediation

References

CVE-2024-26265

Related Vulnerabilities

WordPress Plugin Slideshow Gallery LITE Multiple Cross-Site Scripting Vulnerabilities (1.6.5)

WordPress Plugin wpDataTables-WordPress Data Table, Dynamic Tables & Table Charts Multiple Vulnerabilities (2.0.11)

Plone CMS URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-1000481)

WordPress Plugin Zlick Paywall Security Bypass (2.2.1)

WordPress Plugin Double Opt-In for Download SQL Injection (2.0.8)

Severity

Medium

Classification

CVE-2024-26265 CWE-770 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities