CVE-2023-35030

HIGH8.8EPSS 1.4%

Liferay Portal and Liferay DXP Vulnerable to CSRF via the Layout Module

發布日:2023/6/15修改日:2025/8/8

描述

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

受影響套件(2)

Maven/com.liferay.portal:release.dxp.bom>= 7.4.13.u70, <= 7.4.13.u76
Maven/com.liferay.portal:release.portal.bom>= 7.4.3.70-ga70, < 7.4.3.77-ga77

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-35030
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030