CVE-2024-26270 — Sensitive Info Insertion into Sent Data in Portal

CWE-201 — Sensitive Info Insertion into Sent Data4 documents4 sources

Severity

5.3MEDIUMNVD

CNA6.5

EPSS

0.2%

top 59.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedFeb 20

Description

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.3.76 — 7.4.3.100

▶CVEListV5liferay/portal7.4.3.76 — 7.4.3.99

▶CVEListV5liferay/dxp2023.q3.1 — 2023.q3.4+1

▶NVDliferay/digital_experience_platform6 versions+5

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP vulnerable to theft of hashed password↗2024-02-20

▶

GHSA

Liferay Portal and Liferay DXP vulnerable to theft of hashed password↗2024-02-20

▶

CVEList

CVE-2024-26270: The Account Settings page in Liferay Portal 7↗2024-02-20

▶