Listen to this Post
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability within specific versions of Liferay Portal and DXP. The flaw exists due to improper validation of the ‘endpoint’ parameter. An attacker can craft a malicious webpage that, when visited by an authenticated Liferay user, silently submits a forged HTTP request to the vulnerable Liferay instance. This request, which carries the user’s session cookies, tricks the application into executing a state-changing action on the attacker’s behalf. The vulnerability is exploitable because the application does not require a unique, unpredictable token (anti-CSRF token) to be present for requests utilizing this specific parameter, allowing the forged request to be processed as legitimate.
Platform: Liferay Portal/DXP
Version: 7.4.0-7.4.3.132
Vulnerability: CSRF
Severity: Moderate
date: 2025-08-19
Prediction: 2025-09-19
What Undercode Say:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "endpoint=malicious-action¶m=value" "http://target-liferay-host/o/api/path"
<html><body> <form action="http://target-liferay-host/o/api/path" method="POST"><input type="hidden" name="endpoint" value="malicious-action"/><input type="submit" value="Submit"/></form> </body></html>
How Exploit:
Craft a form or AJAX request targeting the vulnerable endpoint parameter, host it on an attacker-controlled site, and lure an authenticated user to visit it to perform unauthorized actions.
Protection from this CVE:
Apply vendor patch. Implement strong anti-CSRF tokens. Use SameSite cookies.
Impact:
Unauthorized state-changing actions performed as the victim user.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
