CVE-2024-25150

Published: Feb 20, 2024Modified: Dec 10, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.

Affected (32)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

32 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Before 7.2
Liferay Digital Experience Platform	Version 7.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_10
Liferay Digital Experience Platform	Version 7.2 fix_pack_11
Liferay Digital Experience Platform	Version 7.2 fix_pack_12
Liferay Digital Experience Platform	Version 7.2 fix_pack_13
Liferay Digital Experience Platform	Version 7.2 fix_pack_14
Liferay Digital Experience Platform	Version 7.2 fix_pack_15
Liferay Digital Experience Platform	Version 7.2 fix_pack_16
Liferay Digital Experience Platform	Version 7.2 fix_pack_17
Liferay Digital Experience Platform	Version 7.2 fix_pack_18
Liferay Digital Experience Platform	Version 7.2 fix_pack_1
Liferay Digital Experience Platform	Version 7.2 fix_pack_2
Liferay Digital Experience Platform	Version 7.2 fix_pack_3
Liferay Digital Experience Platform	Version 7.2 fix_pack_4
Liferay Digital Experience Platform	Version 7.2 fix_pack_5
Liferay Digital Experience Platform	Version 7.2 fix_pack_6
Liferay Digital Experience Platform	Version 7.2 fix_pack_7
Liferay Digital Experience Platform	Version 7.2 fix_pack_8
Liferay Digital Experience Platform	Version 7.2 fix_pack_9
Liferay Digital Experience Platform	Version 7.2 service_pack_1
Liferay Digital Experience Platform	Version 7.2 service_pack_2
Liferay Digital Experience Platform	Version 7.2 service_pack_3
Liferay Digital Experience Platform	Version 7.2 service_pack_4
Liferay Digital Experience Platform	Version 7.2 service_pack_5
Liferay Digital Experience Platform	Version 7.2 service_pack_6
Liferay Digital Experience Platform	Version 7.3
Liferay Digital Experience Platform	Version 7.3 fix_pack_1
Liferay Digital Experience Platform	Version 7.3 fix_pack_2
Liferay Digital Experience Platform	Version 7.3 service_pack_1
Liferay Digital Experience Platform	Version 7.3 service_pack_3
Liferay Liferay Portal	Before 7.4.3.4

Related CWEs

CWE-201

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150

Source: security@liferay.com

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.