Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-25148

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

Published

2024-02-08T04:15:08.240

Last Modified

2025-05-13T18:17:51.450

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses
  • Type: Secondary
    CWE-201
  • Type: Primary
    NVD-CWE-noinfo
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay digital_experience_platform 7.2 Yes
Application liferay dxp 7.3 Yes
Application liferay dxp 7.3 Yes
Application liferay dxp 7.3 Yes
Application liferay liferay_portal ≤ 7.4.1 Yes
References