CVE-2024-26271
📊 8.8 HIGH⚡ 0.1%🎯 0 exploits
📅 Published Oct 22, 2024
📋 Status: Analyzed
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.
CVSS v3.1 • [email protected]
🎯 Affected Products & Systems
25 product configurations affected
Filter by type:
| Type | Vendor | Product | Version Range | Status | CPE String |
|---|---|---|---|---|---|
📱App | liferay | digital experience platform | ≥ 2023.q3.1 ∧ < 2023.q3.6 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* |
📱App | liferay | digital experience platform | ≥ 2023.q4.0 ∧ < 2023.q4.3 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.3 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.3 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.3 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.3 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:* |
📱App | liferay | digital experience platform | 7.4 | Vulnerable | cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:* |
📱App | liferay | liferay portal | ≥ 7.4.3.75 ∧ < 7.4.3.112 | Vulnerable | cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* |
📱
VulnerableApplication
Version: ≥ 2023.q3.1 ∧ < 2023.q3.6
CPE:
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: ≥ 2023.q4.0 ∧ < 2023.q4.3
CPE:
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.3
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.3
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.3
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.3
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*
📱
VulnerableApplication
Version: 7.4
CPE:
cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*
📱
VulnerableApplication
Version: ≥ 7.4.3.75 ∧ < 7.4.3.112
CPE:
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
25 products•scroll for more
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector:
NETWORK
Complexity:
LOW
Privileges:
NONE
User Interaction:
REQUIRED
Confidentiality:
HIGH
Integrity:
HIGH
Availability:
HIGH
Scope:
UNCHANGED
🔍 Technical Details
Analysis Status
AnalyzedCVSS Details
8.8 (HIGH)v3.1
Source: [email protected]
EPSS Details
0.1% (Minimal)32.3th percentile
Last updated: Nov 1, 2025
Exploitation probability within 30 days
Published Date
Oct 22, 2024 (1 year ago)
Last Modified
Dec 10, 2024 (10 months ago)
Security Weaknesses2
CWE-352
References2
NVDadvisory