CVE-2024-26265

MEDIUM

Liferay Portal 7.2.0-7.4.3.15 & DXP <7.4 U16 - Authenticated Arbitrary File Upload

Title source: llm

Description

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26265

Scores

CVSS v3 5.0

EPSS 0.0069

EPSS Percentile 72.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (6)

com.liferay.portal/release.portal.bom 0 - 7.4.3.16Maven

liferay/digital_experience_platform 7.2 (25 CPE variants)

liferay/digital_experience_platform 7.3 (5 CPE variants)

liferay/digital_experience_platform 7.4 (16 CPE variants)

liferay/digital_experience_platform < 7.2

liferay/liferay_portal < 7.3.7

Published Feb 20, 2024

Tracked Since Feb 18, 2026