CVE-2024-25604

Published: Feb 20, 2024Modified: Dec 10, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.

Affected (28)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

28 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Before 7.2
Liferay Digital Experience Platform	Version 7.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_10
Liferay Digital Experience Platform	Version 7.2 fix_pack_11
Liferay Digital Experience Platform	Version 7.2 fix_pack_12
Liferay Digital Experience Platform	Version 7.2 fix_pack_13
Liferay Digital Experience Platform	Version 7.2 fix_pack_14
Liferay Digital Experience Platform	Version 7.2 fix_pack_15
Liferay Digital Experience Platform	Version 7.2 fix_pack_16
Liferay Digital Experience Platform	Version 7.2 fix_pack_1
Liferay Digital Experience Platform	Version 7.2 fix_pack_2
Liferay Digital Experience Platform	Version 7.2 fix_pack_3
Liferay Digital Experience Platform	Version 7.2 fix_pack_4
Liferay Digital Experience Platform	Version 7.2 fix_pack_5
Liferay Digital Experience Platform	Version 7.2 fix_pack_6
Liferay Digital Experience Platform	Version 7.2 fix_pack_7
Liferay Digital Experience Platform	Version 7.2 fix_pack_8
Liferay Digital Experience Platform	Version 7.2 service_pack_1
Liferay Digital Experience Platform	Version 7.2 service_pack_2
Liferay Digital Experience Platform	Version 7.2 service_pack_3
Liferay Digital Experience Platform	Version 7.2 service_pack_4
Liferay Digital Experience Platform	Version 7.2 service_pack_5
Liferay Digital Experience Platform	Version 7.3
Liferay Digital Experience Platform	Version 7.3 fix_pack_1
Liferay Digital Experience Platform	Version 7.3 fix_pack_2
Liferay Digital Experience Platform	Version 7.3 service_pack_1
Liferay Digital Experience Platform	Version 7.4
Liferay Liferay Portal	Before 7.4.3.5

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604

Source: security@liferay.com

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25604

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.