CVE-2024-26270

Published: Feb 20, 2024Modified: Jan 28, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Affected (23)

Products: Liferay: Liferay Portal, Digital Experience Platform

Liferay

2 products

Liferay Portal

Digital Experience Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Liferay Liferay Portal	From 7.4.3.76 to 7.4.3.100

Configuration B

22 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	Version 2023.q3.0
Liferay Digital Experience Platform	Version 2023.q3.1
Liferay Digital Experience Platform	Version 2023.q3.2
Liferay Digital Experience Platform	Version 2023.q3.3
Liferay Digital Experience Platform	Version 2023.q3.4
Liferay Digital Experience Platform	Version 7.4 update76
Liferay Digital Experience Platform	Version 7.4 update77
Liferay Digital Experience Platform	Version 7.4 update78
Liferay Digital Experience Platform	Version 7.4 update79
Liferay Digital Experience Platform	Version 7.4 update80
Liferay Digital Experience Platform	Version 7.4 update81
Liferay Digital Experience Platform	Version 7.4 update82
Liferay Digital Experience Platform	Version 7.4 update83
Liferay Digital Experience Platform	Version 7.4 update84
Liferay Digital Experience Platform	Version 7.4 update85
Liferay Digital Experience Platform	Version 7.4 update86
Liferay Digital Experience Platform	Version 7.4 update87
Liferay Digital Experience Platform	Version 7.4 update88
Liferay Digital Experience Platform	Version 7.4 update89
Liferay Digital Experience Platform	Version 7.4 update90
Liferay Digital Experience Platform	Version 7.4 update91
Liferay Digital Experience Platform	Version 7.4 update92

Related CWEs

CWE-201

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References (2)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Source: security@liferay.com

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.