high
8.8
CWE
352
Advisory Published
Updated

CVE-2024-26272: CSRF

First published: Tue Oct 22 2024(Updated: )

Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter.

Credit: security@liferay.com

Affected SoftwareAffected VersionHow to fix
Liferay DXP>=2023.q3.1<2023.q3.6
Liferay DXP>=2023.q4.0<2023.q4.3
Liferay DXP=7.3
Liferay DXP=7.3-fix_pack_1
Liferay DXP=7.3-fix_pack_2
Liferay DXP=7.3-service_pack_1
Liferay DXP=7.3-service_pack_3
Liferay DXP=7.3-update10
Liferay DXP=7.3-update11
Liferay DXP=7.3-update12
Liferay DXP=7.3-update13
Liferay DXP=7.3-update14
Liferay DXP=7.3-update15
Liferay DXP=7.3-update16
Liferay DXP=7.3-update17
Liferay DXP=7.3-update18
Liferay DXP=7.3-update19
Liferay DXP=7.3-update20
Liferay DXP=7.3-update21
Liferay DXP=7.3-update22
Liferay DXP=7.3-update23
Liferay DXP=7.3-update24
Liferay DXP=7.3-update25
Liferay DXP=7.3-update26
Liferay DXP=7.3-update27
Liferay DXP=7.3-update28
Liferay DXP=7.3-update29
Liferay DXP=7.3-update30
Liferay DXP=7.3-update31
Liferay DXP=7.3-update32
Liferay DXP=7.3-update33
Liferay DXP=7.3-update34
Liferay DXP=7.3-update35
Liferay DXP=7.3-update4
Liferay DXP=7.3-update5
Liferay DXP=7.3-update6
Liferay DXP=7.3-update7
Liferay DXP=7.3-update8
Liferay DXP=7.3-update9
Liferay DXP=7.4
Liferay DXP=7.4-update1
Liferay DXP=7.4-update10
Liferay DXP=7.4-update11
Liferay DXP=7.4-update12
Liferay DXP=7.4-update13
Liferay DXP=7.4-update14
Liferay DXP=7.4-update15
Liferay DXP=7.4-update16
Liferay DXP=7.4-update17
Liferay DXP=7.4-update18
Liferay DXP=7.4-update19
Liferay DXP=7.4-update2
Liferay DXP=7.4-update20
Liferay DXP=7.4-update21
Liferay DXP=7.4-update22
Liferay DXP=7.4-update23
Liferay DXP=7.4-update24
Liferay DXP=7.4-update25
Liferay DXP=7.4-update26
Liferay DXP=7.4-update27
Liferay DXP=7.4-update28
Liferay DXP=7.4-update29
Liferay DXP=7.4-update3
Liferay DXP=7.4-update30
Liferay DXP=7.4-update31
Liferay DXP=7.4-update32
Liferay DXP=7.4-update33
Liferay DXP=7.4-update34
Liferay DXP=7.4-update35
Liferay DXP=7.4-update36
Liferay DXP=7.4-update37
Liferay DXP=7.4-update38
Liferay DXP=7.4-update39
Liferay DXP=7.4-update4
Liferay DXP=7.4-update40
Liferay DXP=7.4-update41
Liferay DXP=7.4-update42
Liferay DXP=7.4-update43
Liferay DXP=7.4-update44
Liferay DXP=7.4-update45
Liferay DXP=7.4-update46
Liferay DXP=7.4-update47
Liferay DXP=7.4-update48
Liferay DXP=7.4-update49
Liferay DXP=7.4-update5
Liferay DXP=7.4-update50
Liferay DXP=7.4-update51
Liferay DXP=7.4-update52
Liferay DXP=7.4-update53
Liferay DXP=7.4-update54
Liferay DXP=7.4-update55
Liferay DXP=7.4-update56
Liferay DXP=7.4-update57
Liferay DXP=7.4-update58
Liferay DXP=7.4-update59
Liferay DXP=7.4-update6
Liferay DXP=7.4-update60
Liferay DXP=7.4-update61
Liferay DXP=7.4-update62
Liferay DXP=7.4-update63
Liferay DXP=7.4-update64
Liferay DXP=7.4-update65
Liferay DXP=7.4-update66
Liferay DXP=7.4-update67
Liferay DXP=7.4-update68
Liferay DXP=7.4-update69
Liferay DXP=7.4-update7
Liferay DXP=7.4-update70
Liferay DXP=7.4-update71
Liferay DXP=7.4-update72
Liferay DXP=7.4-update73
Liferay DXP=7.4-update74
Liferay DXP=7.4-update75
Liferay DXP=7.4-update76
Liferay DXP=7.4-update77
Liferay DXP=7.4-update78
Liferay DXP=7.4-update79
Liferay DXP=7.4-update8
Liferay DXP=7.4-update80
Liferay DXP=7.4-update81
Liferay DXP=7.4-update82
Liferay DXP=7.4-update83
Liferay DXP=7.4-update84
Liferay DXP=7.4-update85
Liferay DXP=7.4-update86
Liferay DXP=7.4-update87
Liferay DXP=7.4-update88
Liferay DXP=7.4-update89
Liferay DXP=7.4-update9
Liferay DXP=7.4-update90
Liferay DXP=7.4-update91
Liferay DXP=7.4-update92
Liferay 7.4 GA>=7.3.2<=7.3.7
Liferay 7.4 GA>=7.4.0<7.4.3.108

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-26272?

    CVE-2024-26272 is classified as a high-severity vulnerability due to its potential impact on user accounts.

  • How do I fix CVE-2024-26272?

    To fix CVE-2024-26272, update Liferay Portal to versions 7.4.3.108 or higher, or 7.3.7 or higher.

  • What types of attacks does CVE-2024-26272 allow?

    CVE-2024-26272 allows remote attackers to perform cross-site request forgery attacks that can change user passwords and other sensitive data.

  • Which versions of Liferay are affected by CVE-2024-26272?

    CVE-2024-26272 affects Liferay Portal versions 7.3.2 to 7.4.3.107 and Liferay DXP versions up to 2023.Q4.2.

  • What is the nature of the vulnerability described in CVE-2024-26272?

    CVE-2024-26272 is a cross-site request forgery (CSRF) vulnerability specifically within the content page editor of Liferay Portal.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203