Description

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

Remediation

References

CVE-2023-35030

Related Vulnerabilities

Piwigo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-5608)

WordPress Plugin Accept Donations with PayPal Cross-Site Request Forgery (1.3.3)

Drupal Improper Input Validation Vulnerability (CVE-2010-2473)

WordPress Plugin Export Users to CSV CSV Injection (1.1.1)

Oracle Database Server CVE-2012-1745 Vulnerability (CVE-2012-1745)

Severity

High

Classification

CVE-2023-35030 CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities