Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-chj2-4vg7-hhg3

GitHub Security Advisory

Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. This issue has been patched in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 Update 36.

Affected Packages

Maven com.liferay.portal:release.portal.bom
Affected versions: 7.0.0-a1 (fixed in 7.4.3.102-GA102)
Maven com.liferay.portal:release.dxp.bom
Affected versions: 2023.Q3.1 (fixed in 2023.Q3.5)
Maven com.liferay.portal:release.dxp.bom
Affected versions: 7.0.0-GA (last affected: 7.0.10.fp102)
Maven com.liferay.portal:release.dxp.bom
Affected versions: 7.1.0-GA (last affected: 7.1.10.fp28)
Maven com.liferay.portal:release.dxp.bom
Affected versions: 7.2.0.GA (last affected: 7.2.10.fp20)
Maven com.liferay.portal:release.dxp.bom
Affected versions: 7.3.0-GA (fixed in 7.3.10.u36)
Maven com.liferay.portal:release.dxp.bom
Affected versions: 7.4.0-GA (last affected: 7.4.13.u92)

Related CVEs

CVE-2024-8980

Key Information

GHSA ID
GHSA-chj2-4vg7-hhg3
Published
October 22, 2024 6:32 PM
Last Modified
July 29, 2025 1:05 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
com.liferay.portal:release.portal.bom
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.