6.5
CVE-2024-26270
- EPSS 0.24%
- Published 20.02.2024 14:15:09
- Last modified 28.01.2025 21:25:41
- Source security@liferay.com
- Teams watchlist Login
- Open Login
The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
Data is provided by the National Vulnerability Database (NVD)
Liferay ≫ Liferay Portal Version >= 7.4.3.76 < 7.4.3.100
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate76
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate77
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate78
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate79
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate80
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate81
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate82
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate83
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate84
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate85
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate86
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate87
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate88
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate89
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate90
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate91
Liferay ≫ Digital Experience Platform Version7.4 Updateupdate92
Liferay ≫ Digital Experience Platform Version2023.q3.0
Liferay ≫ Digital Experience Platform Version2023.q3.1
Liferay ≫ Digital Experience Platform Version2023.q3.2
Liferay ≫ Digital Experience Platform Version2023.q3.3
Liferay ≫ Digital Experience Platform Version2023.q3.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.469 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security@liferay.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-201 Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.