CVE-2024-26270

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.76 through 7.4.3.99 Liferay DXP 2023.Q3 before patch 5 Liferay DXP 7.4 update 76 through 92

Description The issue allows man-in-the-middle attackers to steal a user's hashed password due to the embedding of the user's hashed password in the Account Settings page's HTML source.

Recommendations For Liferay Portal versions 7.4.3.76 through 7.4.3.99, update to a version outside of this range to resolve the issue. For Liferay DXP 2023.Q3 before patch 5, apply patch 5 to fix the problem. For Liferay DXP 7.4 update 76 through 92, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Account Settings page until a patch is available.