CVE-2023-35030 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.4.3.70-ga70 <7.4.3.77-ga77

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00572 pctl0.67685

Details

Liferay Portal and Liferay DXP Vulnerable to CSRF via the Layout Module Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

Metadata

Created: 2023-06-15T06:30:17Z
Modified: 2025-08-08T21:12:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-p2fc-xxr8-fw3p/GHSA-p2fc-xxr8-fw3p.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-p2fc-xxr8-fw3p
Finding: F007
Auto approve: 1