Platform
java
Component
com.liferay.portal:release.portal.bom
Fixed in
7.4.4
173.0.1
102.0.1
28.0.1
20.0.1
7.3.11
7.4.14
2023.0.1
7.4.3.102-GA102
CVE-2024-8980 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Liferay Portal and Liferay DXP versions 7.0.0 through 7.4.3.101. This flaw allows a remote attacker to execute arbitrary Groovy scripts through a crafted URL or by exploiting an existing XSS vulnerability. The vulnerability is resolved in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, and related versions.
The impact of CVE-2024-8980 is severe due to the ability to execute arbitrary Groovy scripts. An attacker could leverage this vulnerability to gain unauthorized access to sensitive data, modify system configurations, or even execute malicious code on the server. Successful exploitation could lead to complete compromise of the Liferay Portal instance and potentially the underlying infrastructure. The ability to execute Groovy scripts elevates the risk significantly, as it bypasses standard security controls and allows for a wide range of malicious actions. This vulnerability shares similarities with other CSRF vulnerabilities that have led to significant data breaches and system takeovers.
CVE-2024-8980 was publicly disclosed on October 22, 2024. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature suggests that PoCs are likely to emerge. This CVE is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.38% (60% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8980 is to upgrade to a patched version of Liferay Portal or DXP. Upgrade to Liferay Portal 7.4.3.102-GA102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q3.5, or later. If immediate patching is not possible, consider implementing temporary workarounds such as restricting access to the Script Console, implementing strict input validation, and enabling CSRF protection mechanisms within the application. Review and strengthen existing CSRF protection measures. After upgrade, confirm the vulnerability is resolved by attempting to trigger a script execution via a crafted URL and verifying that the request is blocked.
Update Liferay Portal to a version that has addressed the CSRF vulnerability. Refer to the Liferay security advisory for details on patched versions and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8980 is a critical Cross-Site Request Forgery (CSRF) vulnerability in Liferay Portal and DXP versions allowing attackers to execute arbitrary Groovy scripts.
If you are running Liferay Portal or DXP versions 7.0.0 through 7.4.3.101, you are potentially affected by this vulnerability.
Upgrade to Liferay Portal 7.4.3.102-GA102, Liferay DXP 2024.Q1.1, or a later patched version to mitigate the vulnerability.
While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target.
Refer to the official Liferay security advisory for detailed information and updates: [https://liferay.com/security/advisory/liferay-portal-dxp-csrf-script-console](https://liferay.com/security/advisory/liferay-portal-dxp-csrf-script-console)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.