Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-26270

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Published

2024-02-20T14:15:09.530

Last Modified

2025-01-28T21:25:41.420

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses
  • Type: Secondary
    CWE-201
  • Type: Primary
    NVD-CWE-Other
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application liferay liferay_portal < 7.4.3.100 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 7.4 Yes
Application liferay digital_experience_platform 2023.q3.0 Yes
Application liferay digital_experience_platform 2023.q3.1 Yes
Application liferay digital_experience_platform 2023.q3.2 Yes
Application liferay digital_experience_platform 2023.q3.3 Yes
Application liferay digital_experience_platform 2023.q3.4 Yes
References