CVE-2024-8980 Information

Nov 01, 2024 cve

Description

The Script Console in Liferay Portal 7.0.0 through 7.4.3.101 and Liferay DXP 2023.Q3.1 through 2023.Q3.4 7.4 GA through update 92 7.3 GA through update 35 7.2 GA through fix pack 20 7.1 GA through fix pack 28 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-8980

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: