1. Home
  2. CVE Database
  3. CVE-2024-26265
MEDIUM · 5.0

CVE-2024-26265

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsuppo...

Vulnerability Description

The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions relies on a request parameter to limit the size of files that can be uploaded, which allows remote authenticated users to upload arbitrarily large files to the system's temp folder by modifying the `maxFileSize` parameter.

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW

Affected Products

VendorProductVersions
LiferayLiferay Portal<= 7.3.7
LiferayDigital Experience Platform< 7.2

Related Weaknesses (CWE)

CWE-770

References

FAQ

What is CVE-2024-26265?

CVE-2024-26265 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The Image Uploader module in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 19, and older unsuppo...

How severe is CVE-2024-26265?

CVE-2024-26265 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-26265?

Check the references section above for vendor advisories and patch information. Affected products include: Liferay Liferay Portal, Liferay Digital Experience Platform.