CVE-2024-25146

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:dxp:7.2:-::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_1::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_10::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_11::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_12::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_13::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_14::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_15::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_16::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_17::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_2::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_3::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_4::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_5::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_6::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_7::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_8::::::
	cpe:2.3:a:liferay:dxp:7.2:fix_pack_9::::::
	cpe:2.3:a:liferay:dxp:7.3:-::::::
	cpe:2.3:a:liferay:dxp:7.3:sp1::::::
	cpe:2.3:a:liferay:dxp:7.3:sp2::::::
	cpe:2.3:a:liferay:liferay_portal::::::::

History

15 Feb 2024, 04:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_16:::::: cpe:2.3:a:liferay:dxp:7.3:sp1:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_17:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:::::: cpe:2.3:a:liferay:dxp:7.2:-:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:::::: cpe:2.3:a:liferay:dxp:7.3:-:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:::::: cpe:2.3:a:liferay:dxp:7.3:sp2:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:::::: cpe:2.3:a:liferay:liferay_portal::::::::
References	~~() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146 -~~	() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146 - Vendor Advisory
CWE		CWE-203
First Time		Liferay liferay Portal Liferay dxp Liferay
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

08 Feb 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-08 04:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-25146

Mitre link : CVE-2024-25146

CVE.ORG link : CVE-2024-25146

JSON object : View

Products Affected

liferay

dxp
liferay_portal

CWE

CWE-203

Observable Discrepancy

CWE-204

Observable Response Discrepancy

5.3 /10