CVE-2024-8980 CRITICAL

CVE-2024-8980

Vendor Liferay
Product Portal
Weakness CWE-352 · CSRF
Published October 22, 2024
Last update October 22, 2024
View on NVD All CVEs

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.

Key dates

02Disclosure timeline

October 22, 2024 CVE published
October 22, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-50534 WordPress World Prayer Time plugin <= 2.0 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-24705 WordPress Accessibility Plugin <= 1.0.6 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-34756 WordPress Integration for HubSpot and Contact Form 7 plugin <= 1.3.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2017-20062 Elefant CMS cross-site request forgery CVE-2025-39563 WordPress Conditional Payments for WooCommerce plugin <= 3.3.0 - Cross Site Request Forgery (CSRF) Vulnerability