Primary

Context

Liferay Portal and Liferay DXP Insufficient CSRF Protection Vulnerability for Omni-Administrators

Vulnerability

Patched

A vulnerability exists in Liferay Portal versions 7.0.0 through 7.4.3.119, as well as in Liferay DXP versions 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions. This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks against omni-administrator users due to inadequate CSRF protection.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery attacks, where an attacker can trick an authenticated user into performing actions without their consent.

Remediation

Users can upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, or Liferay DXP 2024.Q1.7 to address this vulnerability.

Added: Aug 20, 2025, 3:21 PM

Updated: Aug 20, 2025, 3:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.0

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.0

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP Insufficient CSRF Protection Vulnerability for Omni-Administrators

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating