CVE-2024-25146

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.1 Liferay DXP versions 7.3 before service pack 3 Liferay DXP versions 7.2 before fix pack 18 Liferay Portal older unsupported versions Liferay DXP older unsupported versions

Description The issue allows remote attackers to discover the existence of sites by enumerating URLs, due to different responses depending on whether a site does not exist or if the user does not have permission to access the site. This occurs when locale.prepend.friendly.url.style=2 and a custom 404 page is used.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.1, consider updating to a version that includes the fix for this issue. For Liferay DXP versions 7.3 before service pack 3, apply service pack 3 to resolve the issue. For Liferay DXP versions 7.2 before fix pack 18, apply fix pack 18 to resolve the issue. For Liferay Portal and Liferay DXP older unsupported versions, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider setting locale.prepend.friendly.url.style to a value other than 2 or avoiding the use of custom 404 pages until a patch is available.