Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary | |
---|---|
Title | Liferay Portal fails to protect against CSRF |
Informations | |||
---|---|---|---|
Name | VU#767825 | First vendor Publication | 2008-01-31 |
Vendor | VU-CERT | Last vendor Modification | 2008-01-31 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#767825Liferay Portal fails to protect against CSRFOverviewLiferay Portal fails to properly protect against Cross-Site Request Forgery (CSRF). This may allow a remote attacker to be able to forge requests that Liferay Portal takes action upon.I. DescriptionLiferay Portal is an enterprise portal solution that uses Java technologies. Liferay Portal fails to properly protect against CSRF attacks.II. ImpactA remote attacker may be able to forge requests that the Liferay Portal takes action upon.III. SolutionThis issue is addressed in Liferay version 4.4.0, as specified in Liferay support document LEP-4739. Version 4.4.0 forces requests to be in POST format, which helps mitigate CSRF attacks.Systems Affected
References
Thanks to Tomasz Kuczynski for reporting this vulnerability. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/767825 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
41338 | Liferay Portal Admin Portlet Shutdown Message CSRF |