High severityNVD Advisory· Published Jun 15, 2023· Updated Oct 22, 2024

CVE-2023-35030

Description

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.4.3.70-ga70, < 7.4.3.77-ga77	7.4.3.77-ga77
com.liferay.portal:release.dxp.bomMaven	>= 7.4.13.u70, <= 7.4.13.u76	—

Affected products

Liferay/Portalv5
Range: 7.4.3.70
Liferay/DXPv5
Range: 7.4.13.u70

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p2fc-xxr8-fw3pghsaADVISORY
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030ghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-35030ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000