GHSA-w275-m8cr-hf2v

Suggest an improvement
Source
https://github.com/advisories/GHSA-w275-m8cr-hf2v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w275-m8cr-hf2v/GHSA-w275-m8cr-hf2v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-w275-m8cr-hf2v
Aliases
Published
2024-02-08T06:30:23Z
Modified
2024-10-02T18:50:00.559570Z
Severity
  • 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L CVSS Calculator
Summary
Liferay Portal denial-of-service vulnerability
Details

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

Database specific
{
    "nvd_published_at": "2024-02-08T04:15:07Z",
    "cwe_ids": [
        "CWE-834",
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-08T18:26:20Z"
}
References

Affected packages

Maven / com.liferay.portal:release.portal.bom

Package

Name
com.liferay.portal:release.portal.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.4.3.27

Affected versions

7.*

7.2.0
7.2.1
7.2.1-1
7.3.0
7.3.0-1
7.3.1
7.3.1-1
7.3.2
7.3.2-1
7.3.3
7.3.3-1
7.3.4
7.3.5
7.3.6
7.3.7
7.4.0
7.4.1
7.4.1-1
7.4.2
7.4.2-1
7.4.3.4
7.4.3.5
7.4.3.6
7.4.3.7
7.4.3.8
7.4.3.9
7.4.3.10
7.4.3.11
7.4.3.12
7.4.3.13
7.4.3.14
7.4.3.15
7.4.3.16
7.4.3.17
7.4.3.18
7.4.3.19
7.4.3.20
7.4.3.20-ga20
7.4.3.21
7.4.3.21-ga21
7.4.3.22
7.4.3.23
7.4.3.24
7.4.3.25
7.4.3.26

Maven / com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.2.10.fp19

Affected versions

7.*

7.2.1
7.2.10
7.2.10.fp1
7.2.10.fp1-1
7.2.10.fp2
7.2.10.fp3
7.2.10.fp4
7.2.10.fp5
7.2.10.fp6
7.2.10.fp7
7.2.10.fp8
7.2.10.fp9
7.2.10.fp10
7.2.10.fp11
7.2.10.fp12
7.2.10.fp13
7.2.10.fp14
7.2.10.fp15
7.2.10.fp16
7.2.10.fp17
7.2.10.fp18

Maven / com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.3.0
Fixed
7.3.10.u6

Affected versions

7.*

7.3.10
7.3.10.ep3
7.3.10.ep4
7.3.10.ep5
7.3.10.fp1
7.3.10.fp2
7.3.10.u4
7.3.10.u5

Maven / com.liferay.portal:release.dxp.bom

Package

Name
com.liferay.portal:release.dxp.bom
View open source insights on deps.dev
Purl
pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.4.0
Fixed
7.4.13.u27

Affected versions

7.*

7.4.10.ep1
7.4.11
7.4.12
7.4.13
7.4.13.u1
7.4.13.u2
7.4.13.u3
7.4.13.u4
7.4.13.u5
7.4.13.u6
7.4.13.u7
7.4.13.u8
7.4.13.u9
7.4.13.u10
7.4.13.u15
7.4.13.u16
7.4.13.u17
7.4.13.u18
7.4.13.u19
7.4.13.u20
7.4.13.u21
7.4.13.u22
7.4.13.u23
7.4.13.u24
7.4.13.u25
7.4.13.u26