CVE-2024-25604

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.4 Liferay DXP versions 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17

Description The issue allows remote authenticated users with the VIEW user permission to edit their own permission via the "User and Organizations" section of the Control Panel, due to improper user permission checks.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.4, update to a version that properly checks user permissions. For Liferay DXP version 7.4.13, apply service pack 3 or later. For Liferay DXP version 7.3, apply service pack 3 or later. For Liferay DXP version 7.2, apply fix pack 17 or later. As a temporary workaround, consider restricting access to the "User and Organizations" section of the Control Panel for users with the VIEW user permission.