CVE-2024-26270

Summary

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.3.76 <= 7.4.3.99affected
LiferayDXP2023.q3.1 <= 2023.q3.4affected
LiferayDXP7.4.13.u76 <= 7.4.13.u92affected

Weaknesses

  • CWE-201: CWE-201 Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References