VYPR
Moderate severityNVD Advisory· Published Feb 20, 2024· Updated Aug 1, 2024

CVE-2024-25149

CVE-2024-25149

Description

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit membership to members of the parent site" option is enabled, which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay.portal:release.portal.bomMaven
>= 7.2.0, < 7.4.2-ga37.4.2-ga3
com.liferay.portal:release.dxp.bomMaven
< 7.2.10.fp157.2.10.fp15

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.