CVE-2023-35030

HIGH

Liferay DXP 7.4.3.70-7.4.3.76 - Cross-Site Request Forgery via SEO Configuration BackURL Parameter

Title source: llm

Description

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35030

Scores

CVSS v3 8.8

EPSS 0.0143

EPSS Percentile 80.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (4)

com.liferay.portal/release.dxp.bom 7.4.13.u70Maven

com.liferay.portal/release.portal.bom 7.4.3.70-ga70 - 7.4.3.77-ga77Maven

liferay/dxp 7.4 update_70 (7 CPE variants)

liferay/liferay_portal 7.4.3.70 - 7.4.3.77

Published Jun 15, 2023

Tracked Since Feb 18, 2026