CVE-2024-25149

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.1 Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2 before fix pack 15 Liferay Portal older unsupported versions Liferay DXP older unsupported versions

Description The issue arises from improper restriction of membership in a child site when the "Limit membership to members of the parent site" option is enabled. This allows remote authenticated users to add users who are not members of the parent site to a child site, potentially granting those users permission to perform unauthorized actions within the child site.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.1, update to a version that includes the necessary security fixes. For Liferay DXP 7.3, apply service pack 3 or later. For Liferay DXP 7.2, apply fix pack 15 or later. For older unsupported versions of Liferay Portal and Liferay DXP, consider upgrading to a supported version to mitigate the risk of exploitation. As a temporary workaround, consider disabling the "Limit membership to members of the parent site" option until a patch is available. Restrict access to child sites to minimize the risk of unauthorized user additions.