GHSA-chj2-4vg7-hhg3

Source

https://github.com/advisories/GHSA-chj2-4vg7-hhg3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-chj2-4vg7-hhg3

Aliases

CVE-2024-8980

Published

2024-10-22T18:32:11Z

Modified

2025-07-29T13:27:21.400918Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console

Details

The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. This issue has been patched in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 Update 36.

Database specific

{
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-07-29T13:05:38Z",
    "github_reviewed": true,
    "nvd_published_at": "2024-10-22T15:15:07Z",
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Maven

com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0-a1

Fixed

7.4.3.102-GA102

Affected versions

7.*

7.0.6

7.0.6-1

7.0.6-2

7.1.0

7.1.1

7.1.2

7.1.3

7.1.3-1

7.2.0

7.2.1

7.2.1-1

7.3.0

7.3.0-1

7.3.1

7.3.1-1

7.3.2

7.3.2-1

7.3.3

7.3.3-1

7.3.4

7.3.5

7.3.6

7.3.7

7.4.0

7.4.1

7.4.1-1

7.4.2

7.4.2-1

7.4.3.4

7.4.3.5

7.4.3.6

7.4.3.7

7.4.3.8

7.4.3.9

7.4.3.10

7.4.3.11

7.4.3.12

7.4.3.13

7.4.3.14

7.4.3.15

7.4.3.16

7.4.3.17

7.4.3.18

7.4.3.19

7.4.3.20

7.4.3.20-ga20

7.4.3.21

7.4.3.21-ga21

7.4.3.22

7.4.3.23

7.4.3.24

7.4.3.25

7.4.3.26

7.4.3.27

7.4.3.28

7.4.3.29

7.4.3.30

7.4.3.31

7.4.3.32

7.4.3.33

7.4.3.34

7.4.3.35

7.4.3.36

7.4.3.37

7.4.3.38

7.4.3.39

7.4.3.40

7.4.3.41

7.4.3.42

7.4.3.43

7.4.3.44

7.4.3.45

7.4.3.46

7.4.3.47

7.4.3.48

7.4.3.49

7.4.3.50

7.4.3.51

7.4.3.52

7.4.3.53

7.4.3.54

7.4.3.55

7.4.3.56

7.4.3.57

7.4.3.58

7.4.3.59

7.4.3.60

7.4.3.60-ga60

7.4.3.61

7.4.3.61-ga61

7.4.3.62

7.4.3.63

7.4.3.64

7.4.3.65

7.4.3.66

7.4.3.67

7.4.3.68

7.4.3.69

7.4.3.70

7.4.3.71

7.4.3.72

7.4.3.73

7.4.3.74

7.4.3.75

7.4.3.76

7.4.3.77

7.4.3.78

7.4.3.79

7.4.3.80

7.4.3.81

7.4.3.82

7.4.3.83

7.4.3.84

7.4.3.85

7.4.3.85-ga85

7.4.3.86

7.4.3.87

7.4.3.88

7.4.3.89

7.4.3.90

7.4.3.91

7.4.3.92

7.4.3.93

7.4.3.94

7.4.3.95

7.4.3.95-1

7.4.3.96

7.4.3.97

7.4.3.98

7.4.3.99

7.4.3.100

7.4.3.101

7.4.3.102

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2023.Q3.1

Fixed

2023.Q3.5

Affected versions

2023.*

2023.q3.1

2023.q3.2

2023.q3.3

2023.q3.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0-GA

Last affected

7.0.10.fp102

Affected versions

7.*

7.0.10.fp60

7.0.10.fp61

7.0.10.fp62

7.0.10.fp63

7.0.10.fp64

7.0.10.fp65

7.0.10.fp66

7.0.10.fp67

7.0.10.fp68

7.0.10.fp69

7.0.10.fp70

7.0.10.fp71

7.0.10.fp72

7.0.10.fp73

7.0.10.fp74

7.0.10.fp75

7.0.10.fp76

7.0.10.fp77

7.0.10.fp78

7.0.10.fp79

7.0.10.fp80

7.0.10.fp81

7.0.10.fp82

7.0.10.fp83

7.0.10.fp84

7.0.10.fp85

7.0.10.fp85-1

7.0.10.fp86

7.0.10.fp86-1

7.0.10.fp87

7.0.10.fp87-1

7.0.10.fp88

7.0.10.fp89

7.0.10.fp90

7.0.10.fp91

7.0.10.fp92

7.0.10.fp94

7.0.10.fp94-1

7.0.10.fp95

7.0.10.fp95-1

7.0.10.fp95-2

7.0.10.fp97

7.0.10.fp98

7.0.10.fp100

7.0.10.fp101

7.0.10.fp102

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1.0-GA

Last affected

7.1.10.fp28

Affected versions

7.*

7.1.10

7.1.10.fp1

7.1.10.fp2

7.1.10.fp3

7.1.10.fp4

7.1.10.fp5

7.1.10.fp6

7.1.10.fp7

7.1.10.fp8

7.1.10.fp9

7.1.10.fp10

7.1.10.fp11

7.1.10.fp12

7.1.10.fp13

7.1.10.fp14

7.1.10.fp15

7.1.10.fp16

7.1.10.fp17

7.1.10.fp18

7.1.10.fp19

7.1.10.fp20

7.1.10.fp22

7.1.10.fp24

7.1.10.fp25

7.1.10.fp26

7.1.10.fp27

7.1.10.fp28

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0.GA

Last affected

7.2.10.fp20

Affected versions

7.*

7.2.1

7.2.10

7.2.10.fp1

7.2.10.fp1-1

7.2.10.fp2

7.2.10.fp3

7.2.10.fp4

7.2.10.fp5

7.2.10.fp6

7.2.10.fp7

7.2.10.fp8

7.2.10.fp9

7.2.10.fp10

7.2.10.fp11

7.2.10.fp12

7.2.10.fp13

7.2.10.fp14

7.2.10.fp15

7.2.10.fp16

7.2.10.fp17

7.2.10.fp18

7.2.10.fp19

7.2.10.fp20

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.0-GA

Fixed

7.3.10.u36

Affected versions

7.*

7.3.10

7.3.10.ep3

7.3.10.ep4

7.3.10.ep5

7.3.10.fp1

7.3.10.fp2

7.3.10.u4

7.3.10.u5

7.3.10.u6

7.3.10.u7

7.3.10.u8

7.3.10.u9

7.3.10.u10

7.3.10.u11

7.3.10.u12

7.3.10.u13

7.3.10.u14

7.3.10.u15

7.3.10.u16

7.3.10.u17

7.3.10.u18

7.3.10.u19

7.3.10.u19-1

7.3.10.u20

7.3.10.u20-1

7.3.10.u21

7.3.10.u21-1

7.3.10.u22

7.3.10.u22-1

7.3.10.u23

7.3.10.u24

7.3.10.u25

7.3.10.u26

7.3.10.u27

7.3.10.u28

7.3.10.u29

7.3.10.u30

7.3.10.u31

7.3.10.u32

7.3.10.u33

7.3.10.u34

7.3.10.u35

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0-GA

Last affected

7.4.13.u92

Affected versions

7.*

7.4.10.ep1

7.4.11

7.4.12

7.4.13

7.4.13.u1

7.4.13.u2

7.4.13.u3

7.4.13.u4

7.4.13.u5

7.4.13.u6

7.4.13.u7

7.4.13.u8

7.4.13.u9

7.4.13.u10

7.4.13.u15

7.4.13.u16

7.4.13.u17

7.4.13.u18

7.4.13.u19

7.4.13.u20

7.4.13.u21

7.4.13.u22

7.4.13.u23

7.4.13.u24

7.4.13.u25

7.4.13.u26

7.4.13.u27

7.4.13.u28

7.4.13.u29

7.4.13.u30

7.4.13.u31

7.4.13.u32

7.4.13.u33

7.4.13.u34

7.4.13.u35

7.4.13.u36

7.4.13.u37

7.4.13.u38

7.4.13.u39

7.4.13.u40

7.4.13.u41

7.4.13.u42

7.4.13.u43

7.4.13.u44

7.4.13.u45

7.4.13.u46

7.4.13.u47

7.4.13.u48

7.4.13.u49

7.4.13.u50

7.4.13.u51

7.4.13.u52

7.4.13.u53

7.4.13.u54

7.4.13.u55

7.4.13.u56

7.4.13.u57

7.4.13.u58

7.4.13.u59

7.4.13.u60

7.4.13.u61

7.4.13.u62

7.4.13.u63

7.4.13.u64

7.4.13.u65

7.4.13.u66

7.4.13.u67

7.4.13.u68

7.4.13.u69

7.4.13.u70

7.4.13.u71

7.4.13.u72

7.4.13.u73

7.4.13.u74

7.4.13.u75

7.4.13.u76

7.4.13.u77

7.4.13.u78

7.4.13.u79

7.4.13.u80

7.4.13.u81

7.4.13.u82

7.4.13.u83

7.4.13.u84

7.4.13.u85

7.4.13.u86

7.4.13.u87

7.4.13.u88

7.4.13.u89

7.4.13.u90

7.4.13.u91

7.4.13.u92

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-chj2-4vg7-hhg3/GHSA-chj2-4vg7-hhg3.json"