Vulnerability Description
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liferay | Digital Experience Platform | 7.2 |
| Liferay | Dxp | 7.3 |
| Liferay | Liferay Portal | >= 7.2.0, <= 7.4.1 |
Related Weaknesses (CWE)
References
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jektVendor Advisory
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jektVendor Advisory
FAQ
What is CVE-2024-25146?
CVE-2024-25146 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses d...
How severe is CVE-2024-25146?
CVE-2024-25146 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-25146?
Check the references section above for vendor advisories and patch information. Affected products include: Liferay Digital Experience Platform, Liferay Dxp, Liferay Liferay Portal.