CVE-2024-26270

MEDIUM6.5EPSS 0.18%

Liferay Portal and Liferay DXP vulnerable to theft of hashed password

發布日:2024/2/20修改日:2025/1/28

描述

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

受影響套件(2)

Maven/com.liferay.portal:release.dxp.bom>= 2023.Q3, < 2023.Q3.5
Maven/com.liferay.portal:release.portal.bom>= 7.4.3.76, < 7.4.3.100

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-26270
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270