GHSA-p2fc-xxr8-fw3p

Source

https://github.com/advisories/GHSA-p2fc-xxr8-fw3p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-p2fc-xxr8-fw3p/GHSA-p2fc-xxr8-fw3p.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-p2fc-xxr8-fw3p

Aliases

CVE-2023-35030

Published

2023-06-15T06:30:17Z

Modified

2025-08-08T21:44:55.875584Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Liferay Portal and Liferay DXP Vulnerable to CSRF via the Layout Module

Details

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL parameter.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2023-06-15T05:15:09Z",
    "github_reviewed_at": "2025-08-08T21:12:24Z",
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.3.70-ga70

Fixed

7.4.3.77-ga77

Affected versions

7.*

7.4.3.71

7.4.3.72

7.4.3.73

7.4.3.74

7.4.3.75

7.4.3.76

7.4.3.77

Maven / com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.13.u70

Last affected

7.4.13.u76

Affected versions

7.*

7.4.13.u70

7.4.13.u71

7.4.13.u72

7.4.13.u73

7.4.13.u74

7.4.13.u75

7.4.13.u76