CVE-2024-26265 MEDIUM

CVE-2024-26265

Vendor Liferay
Product Portal
Weakness CWE-770 · Uncontrolled resource consumption
Published February 20, 2024
Last update October 2, 2024

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

What the vulnerability does

01Description

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.

Key dates

02Disclosure timeline

February 20, 2024 CVE published
October 2, 2024 Record updated