CVE-2024-25149

Published: Feb 20, 2024Modified: Dec 10, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.

Affected (26)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

26 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Before 7.2
Liferay Digital Experience Platform	Version 7.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_10
Liferay Digital Experience Platform	Version 7.2 fix_pack_11
Liferay Digital Experience Platform	Version 7.2 fix_pack_12
Liferay Digital Experience Platform	Version 7.2 fix_pack_13
Liferay Digital Experience Platform	Version 7.2 fix_pack_14
Liferay Digital Experience Platform	Version 7.2 fix_pack_1
Liferay Digital Experience Platform	Version 7.2 fix_pack_2
Liferay Digital Experience Platform	Version 7.2 fix_pack_3
Liferay Digital Experience Platform	Version 7.2 fix_pack_4
Liferay Digital Experience Platform	Version 7.2 fix_pack_5
Liferay Digital Experience Platform	Version 7.2 fix_pack_6
Liferay Digital Experience Platform	Version 7.2 fix_pack_7
Liferay Digital Experience Platform	Version 7.2 fix_pack_8
Liferay Digital Experience Platform	Version 7.2 fix_pack_9
Liferay Digital Experience Platform	Version 7.2 service_pack_1
Liferay Digital Experience Platform	Version 7.2 service_pack_2
Liferay Digital Experience Platform	Version 7.2 service_pack_3
Liferay Digital Experience Platform	Version 7.2 service_pack_4
Liferay Digital Experience Platform	Version 7.2 service_pack_5
Liferay Digital Experience Platform	Version 7.3
Liferay Digital Experience Platform	Version 7.3 fix_pack_1
Liferay Digital Experience Platform	Version 7.3 fix_pack_2
Liferay Digital Experience Platform	Version 7.3 service_pack_1
Liferay Liferay Portal	Before 7.4.2

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149

Source: security@liferay.com

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.