Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-35030

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

Published

2023-06-15T05:15:09.857

Last Modified

2024-11-21T08:07:50.727

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-352
Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	liferay	dxp	7.4	Yes
Application	liferay	dxp	7.4	Yes
Application	liferay	dxp	7.4	Yes
Application	liferay	dxp	7.4	Yes
Application	liferay	dxp	7.4	Yes
Application	liferay	dxp	7.4	Yes
Application	liferay	dxp	7.4	Yes
Application	liferay	liferay_portal	< 7.4.3.77	Yes

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030 Patch, Vendor Advisory ([email protected])
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)