← Back

CVE-2024-25605

nvd nist
Published: Feb 20, 2024Modified: Dec 10, 2024

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.

Affected (29)

Liferay
2 products
Digital Experience Platform
Liferay Portal
Configuration A
29 vulnerable
Vulnerable SoftwareAffected Versions
Liferay
Digital Experience Platform
Before 7.2
Digital Experience Platform
Version 7.2
Digital Experience Platform
Version 7.2 fix_pack_10
Digital Experience Platform
Version 7.2 fix_pack_11
Digital Experience Platform
Version 7.2 fix_pack_12
Digital Experience Platform
Version 7.2 fix_pack_13
Digital Experience Platform
Version 7.2 fix_pack_14
Digital Experience Platform
Version 7.2 fix_pack_15
Digital Experience Platform
Version 7.2 fix_pack_16
Digital Experience Platform
Version 7.2 fix_pack_1
Digital Experience Platform
Version 7.2 fix_pack_2
Digital Experience Platform
Version 7.2 fix_pack_3
Digital Experience Platform
Version 7.2 fix_pack_4
Digital Experience Platform
Version 7.2 fix_pack_5
Digital Experience Platform
Version 7.2 fix_pack_6
Digital Experience Platform
Version 7.2 fix_pack_7
Digital Experience Platform
Version 7.2 fix_pack_8
Digital Experience Platform
Version 7.2 fix_pack_9
Digital Experience Platform
Version 7.2 service_pack_1
Digital Experience Platform
Version 7.2 service_pack_2
Digital Experience Platform
Version 7.2 service_pack_3
Digital Experience Platform
Version 7.2 service_pack_4
Digital Experience Platform
Version 7.2 service_pack_5
Digital Experience Platform
Version 7.3
Digital Experience Platform
Version 7.3 fix_pack_1
Digital Experience Platform
Version 7.3 fix_pack_2
Digital Experience Platform
Version 7.3 service_pack_1
Digital Experience Platform
Version 7.4
Liferay Portal
Before 7.4.3.5

Related CWEs

CWE-276
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.

References (2)

Source: security@liferay.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.