CVE-2024-25605

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.4 Liferay DXP versions 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17

Description The Journal module in Liferay Portal grants guest users view permission to web content templates by default. This allows remote attackers to view any template via the UI or API.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.4, update to a version that includes the fix for this issue. For Liferay DXP version 7.4.13, apply service pack 3 or later. For Liferay DXP version 7.3, apply service pack 3 or later. For Liferay DXP version 7.2, apply fix pack 17 or later. As a temporary workaround, consider restricting guest user permissions to web content templates until a patch is available.