PT-2024-20784 · Liferay · Liferay Portal+1
Sahil Mehra
·
Published
2024-02-20
·
Updated
2024-12-10
·
CVE-2024-25150
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.2.0 through 7.4.2
Liferay DXP 7.3 before update 4
Liferay DXP 7.2 before fix pack 19
Description
The issue allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names. This is an information disclosure vulnerability in the Control Panel.
Recommendations
For Liferay Portal versions 7.2.0 through 7.4.2, update to a version outside of this range to resolve the issue.
For Liferay DXP 7.3, apply update 4 or later.
For Liferay DXP 7.2, apply fix pack 19 or later.
As a temporary workaround, consider restricting access to the Control Panel to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal