Description

Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter.

Remediation

References

CVE-2024-26273

Related Vulnerabilities

WordPress Plugin MailCWP Arbitrary File Upload (1.99)

WordPress Plugin HDW WordPress Video Gallery Multiple Cross-Site Scripting Vulnerabilities (1.2)

Drupal Core 7.x SQL Injection (7.0 - 7.31)

Varnish Cache Integer Overflow or Wraparound Vulnerability (CVE-2017-12425)

Internet Information Services Other Vulnerability (CVE-1999-0154)

Severity

High

Classification

CVE-2024-26273 CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities