Plattform
java
Komponente
com.liferay.portal:release.portal.bom
Behoben in
7.4.4
173.0.1
102.0.1
28.0.1
20.0.1
7.3.11
7.4.14
2023.0.1
7.4.3.102-GA102
CVE-2024-8980 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Liferay Portal and Liferay DXP versions 7.0.0 through 7.4.3.101. This flaw allows a remote attacker to execute arbitrary Groovy scripts through a crafted URL or by exploiting an existing XSS vulnerability. The vulnerability is resolved in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, and related versions.
The impact of CVE-2024-8980 is severe due to the ability to execute arbitrary Groovy scripts. An attacker exploiting this vulnerability could gain unauthorized access to sensitive data, modify system configurations, or even execute arbitrary commands on the server. This could lead to data breaches, denial of service, or complete system takeover. The vulnerability's reliance on either a crafted URL or an existing XSS vulnerability expands the attack surface, making it potentially easier to exploit. Successful exploitation could allow attackers to impersonate legitimate users and perform actions on their behalf, further compounding the damage.
CVE-2024-8980 has been publicly disclosed and assigned a CVSS score of 9.6 (CRITICAL). While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential impact make it a high-priority vulnerability. Public proof-of-concept exploits are likely to emerge. This vulnerability was published on 2024-10-22. It is not currently listed on CISA KEV.
Organizations heavily reliant on Liferay Portal for their web applications and content management are at significant risk. This includes businesses using Liferay for customer portals, e-commerce platforms, or internal applications. Environments with legacy Liferay configurations or those lacking robust security practices are particularly vulnerable.
• linux / server: Monitor Liferay Portal logs for unusual script execution attempts or suspicious URLs containing script console references. Use journalctl -f to monitor for related errors.
journalctl -f | grep "Script Console" • generic web: Use curl to test for CSRF vulnerabilities by crafting malicious requests targeting the Script Console.
curl -X POST -d 'some_malicious_script' https://your-liferay-portal/scriptconsole • java: Review Liferay Portal's security configuration files for proper CSRF protection settings. Check for any disabled or misconfigured CSRF filters.
disclosure
patch
Exploit-Status
EPSS
0.38% (60% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-8980 is to upgrade to a patched version of Liferay Portal or DXP. Upgrade to Liferay Portal 7.4.3.102-GA102, Liferay DXP 2024.Q1.1, or a later version. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting access to the Script Console, implementing stricter CSRF protection mechanisms (e.g., using tokens), and carefully reviewing user permissions. Monitor Liferay logs for suspicious activity, particularly requests involving the Script Console. After upgrading, confirm the fix by attempting to execute a script via a crafted URL and verifying that the request is rejected.
Aktualisieren Sie Liferay Portal auf eine Version, die die CSRF-Schwachstelle behoben hat. Weitere Informationen zu den behobenen Versionen und spezifischen Update-Anweisungen finden Sie in der Sicherheitsmitteilung von Liferay.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8980 is a critical Cross-Site Request Forgery (CSRF) vulnerability in Liferay Portal and DXP versions allowing attackers to execute arbitrary Groovy scripts.
If you are running Liferay Portal or DXP versions 7.0.0 through 7.4.3.101, you are potentially affected by this vulnerability.
Upgrade to Liferay Portal 7.4.3.102-GA102, Liferay DXP 2024.Q1.1, or a later patched version to mitigate the vulnerability.
While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target.
Refer to the official Liferay security advisory for detailed information and updates: [https://liferay.com/security/advisory/liferay-portal-dxp-csrf-script-console](https://liferay.com/security/advisory/liferay-portal-dxp-csrf-script-console)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.