CVE-2024-26272: 
Java vulnerability analysis and mitigation

Cross-site request forgery (CSRF) vulnerability (CVE-2024-26272) was discovered in the content page editor of Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.3.2 through 7.4.3.107, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35. The vulnerability was reported by NDIx and published on September 12, 2024 (Liferay Advisory).

The vulnerability exists in the content page editor component and specifically involves the plback_url parameter. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This indicates that the vulnerability requires network access, low attack complexity, no privileges, and user interaction, while potentially impacting confidentiality, integrity, and availability at high levels (NVD).

The vulnerability allows remote attackers to perform multiple critical administrative actions including: changing user passwords, shutting down the server, executing arbitrary code in the scripting console, and performing other administrative actions (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.108, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.3, Liferay DXP 2023.Q3.6, or Liferay DXP 7.3 Update 36 (Liferay Advisory).