Moderate severityNVD Advisory· Published Feb 20, 2024· Updated Aug 1, 2024
CVE-2024-25150
CVE-2024-25150
Description
Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.0, < 7.4.3.4-ga4 | 7.4.3.4-ga4 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp19 | 7.2.10.fp19 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.u4 | 7.3.10.u4 |
Affected products
2- Liferay/DXPv5Range: 7.3.10
Patches
6eee01ec6cce3LPS-135470 Use StringBundler.concat
1 file changed · +19 −38
portal-impl/src/com/liferay/portal/events/ServicePreAction.java+19 −38 modified@@ -835,22 +835,16 @@ private ThemeDisplay _initThemeDisplay( // Company logo - StringBundler sb = new StringBundler(6); - - sb.append(imagePath); - sb.append("/company_logo"); + String companyLogo = imagePath + "/company_logo"; long companyLogoId = company.getLogoId(); if (companyLogoId > 0) { - sb.append("?img_id="); - sb.append(company.getLogoId()); - sb.append("&t="); - sb.append(WebServerServletTokenUtil.getToken(company.getLogoId())); + companyLogo = StringBundler.concat( + "?img_id=", company.getLogoId(), "&t=", + WebServerServletTokenUtil.getToken(company.getLogoId())); } - String companyLogo = sb.toString(); - int companyLogoHeight = 0; int companyLogoWidth = 0; @@ -1020,19 +1014,16 @@ private ThemeDisplay _initThemeDisplay( !GroupPermissionUtil.contains( permissionChecker, sourceGroup, ActionKeys.VIEW)) { - sb = new StringBundler(6); - - sb.append("User "); - sb.append(user.getUserId()); - sb.append(" is not allowed to access the private "); - sb.append("pages of user "); - sb.append(sourceGroup.getClassPK()); + String message = StringBundler.concat( + "User ", user.getUserId(), + " is not allowed to access the private pages of ", + "user ", sourceGroup.getClassPK()); if (_log.isWarnEnabled()) { - _log.warn(sb.toString()); + _log.warn(message); } - throw new NoSuchLayoutException(sb.toString()); + throw new NoSuchLayoutException(message); } layout = new VirtualLayout(layout, sourceGroup); @@ -1109,20 +1100,16 @@ else if (!loginRequest && user.getUserId()); } - sb = new StringBundler(6); - - sb.append("User "); - sb.append(user.getUserId()); - sb.append(" is not allowed to access the "); - sb.append(layout.isPrivateLayout() ? "private" : "public"); - sb.append(" pages of group "); - sb.append(layout.getGroupId()); + String message = StringBundler.concat( + "User ", user.getUserId(), " is not allowed to access the ", + layout.isPrivateLayout() ? "private" : "public", + " pages of group ", layout.getGroupId()); if (_log.isWarnEnabled()) { - _log.warn(sb.toString()); + _log.warn(message); } - throw new NoSuchLayoutException(sb.toString()); + throw new NoSuchLayoutException(message); } else if (loginRequest && !viewableGroup) { layout = null; @@ -1231,15 +1218,9 @@ else if (group.isLayoutPrototype()) { } if (logoId > 0) { - sb = new StringBundler(5); - - sb.append(imagePath); - sb.append("/layout_set_logo?img_id="); - sb.append(logoId); - sb.append("&t="); - sb.append(WebServerServletTokenUtil.getToken(logoId)); - - layoutSetLogo = sb.toString(); + layoutSetLogo = StringBundler.concat( + imagePath, "/layout_set_logo?img_id=", logoId, "&t=", + WebServerServletTokenUtil.getToken(logoId)); Image layoutSetLogoImage = ImageLocalServiceUtil.getCompanyLogo(logoId);
1 file changed · +10 −14
portal-impl/src/com/liferay/portal/events/ServicePreAction.java+10 −14 modified@@ -1043,22 +1043,14 @@ private ThemeDisplay _initThemeDisplay( } } - // Portal URL - - String portalURL = PortalUtil.getPortalURL(httpServletRequest); - + long doAsGroupId = ParamUtil.getLong(httpServletRequest, "doAsGroupId"); String doAsUserId = ParamUtil.getString( httpServletRequest, "doAsUserId"); String doAsUserLanguageId = ParamUtil.getString( httpServletRequest, "doAsUserLanguageId"); - long doAsGroupId = ParamUtil.getLong(httpServletRequest, "doAsGroupId"); - - long refererGroupId = ParamUtil.getLong( - httpServletRequest, "refererGroupId"); - + Group group = null; List<Layout> layouts = null; - - String ppid = ParamUtil.getString(httpServletRequest, "p_p_id"); + boolean loginRequest = _isLoginRequest(httpServletRequest); Boolean redirectToDefaultLayout = (Boolean)httpServletRequest.getAttribute( @@ -1068,9 +1060,9 @@ private ThemeDisplay _initThemeDisplay( redirectToDefaultLayout = Boolean.FALSE; } - Group group = null; + long refererGroupId = ParamUtil.getLong( + httpServletRequest, "refererGroupId"); - boolean loginRequest = _isLoginRequest(httpServletRequest); boolean stagingGroup = false; boolean viewableGroup = false; @@ -1349,6 +1341,10 @@ else if (group.isLayoutPrototype()) { Locale locale = PortalUtil.getLocale( httpServletRequest, httpServletResponse, true); + // Portal URL + + String portalURL = PortalUtil.getPortalURL(httpServletRequest); + // Scope long scopeGroupId = PortalUtil.getScopeGroupId(httpServletRequest); @@ -1512,7 +1508,7 @@ else if (group.isLayoutPrototype()) { themeDisplay.setPathSound(contextPath.concat("/html/sound")); themeDisplay.setPermissionChecker(permissionChecker); themeDisplay.setPlid(plid); - themeDisplay.setPpid(ppid); + themeDisplay.setPpid(ParamUtil.getString(httpServletRequest, "p_p_id")); themeDisplay.setRealCompanyLogo(companyLogo); themeDisplay.setRealCompanyLogoHeight(companyLogoHeight); themeDisplay.setRealCompanyLogoWidth(companyLogoWidth);
12844a327061LPS-135470 SF
1 file changed · +15 −14
portal-impl/src/com/liferay/portal/events/ServicePreAction.java+15 −14 modified@@ -887,10 +887,6 @@ private ThemeDisplay _initThemeDisplay( return null; } - // Portal URL - - String portalURL = PortalUtil.getPortalURL(httpServletRequest); - boolean signedIn = !user.isDefaultUser(); if (PropsValues.BROWSER_CACHE_DISABLED || @@ -916,15 +912,6 @@ private ThemeDisplay _initThemeDisplay( realUser = UserLocalServiceUtil.getUserById(realUserId.longValue()); } - String doAsUserId = ParamUtil.getString( - httpServletRequest, "doAsUserId"); - String doAsUserLanguageId = ParamUtil.getString( - httpServletRequest, "doAsUserLanguageId"); - long doAsGroupId = ParamUtil.getLong(httpServletRequest, "doAsGroupId"); - - long refererGroupId = ParamUtil.getLong( - httpServletRequest, "refererGroupId"); - long refererPlid = ParamUtil.getLong(httpServletRequest, "refererPlid"); if ((refererPlid != 0) && @@ -978,7 +965,6 @@ private ThemeDisplay _initThemeDisplay( } Layout layout = null; - List<Layout> layouts = null; long plid = ParamUtil.getLong(httpServletRequest, "p_l_id"); @@ -1057,6 +1043,21 @@ private ThemeDisplay _initThemeDisplay( } } + // Portal URL + + String portalURL = PortalUtil.getPortalURL(httpServletRequest); + + String doAsUserId = ParamUtil.getString( + httpServletRequest, "doAsUserId"); + String doAsUserLanguageId = ParamUtil.getString( + httpServletRequest, "doAsUserLanguageId"); + long doAsGroupId = ParamUtil.getLong(httpServletRequest, "doAsGroupId"); + + long refererGroupId = ParamUtil.getLong( + httpServletRequest, "refererGroupId"); + + List<Layout> layouts = null; + String ppid = ParamUtil.getString(httpServletRequest, "p_p_id"); Boolean redirectToDefaultLayout =
9d7676866a77LPS-135470 Also check for VirtualLayout
1 file changed · +19 −0
portal-impl/src/com/liferay/portal/events/ServicePreAction.java+19 −0 modified@@ -1030,6 +1030,25 @@ private ThemeDisplay _initThemeDisplay( Group sourceGroup = GroupLocalServiceUtil.getGroup( sourceGroupId); + if (sourceGroup.isUser() && + !GroupPermissionUtil.contains( + permissionChecker, sourceGroup, ActionKeys.VIEW)) { + + sb = new StringBundler(6); + + sb.append("User "); + sb.append(user.getUserId()); + sb.append(" is not allowed to access the private "); + sb.append("pages of user "); + sb.append(sourceGroup.getClassPK()); + + if (_log.isWarnEnabled()) { + _log.warn(sb.toString()); + } + + throw new NoSuchLayoutException(sb.toString()); + } + layout = new VirtualLayout(layout, sourceGroup); } else {
8eba0b84a096LPS-135470 Handle it in ServicePreAction instead to ensure all means of rendering a user's group are considered
2 files changed · +1 −13
modules/apps/friendly-url/friendly-url-service/src/main/java/com/liferay/friendly/url/internal/servlet/FriendlyURLServlet.java+0 −12 modified@@ -35,16 +35,13 @@ import com.liferay.portal.kernel.model.User; import com.liferay.portal.kernel.model.VirtualLayoutConstants; import com.liferay.portal.kernel.portlet.LayoutFriendlyURLSeparatorComposite; -import com.liferay.portal.kernel.security.permission.ActionKeys; -import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil; import com.liferay.portal.kernel.service.GroupLocalService; import com.liferay.portal.kernel.service.LayoutFriendlyURLLocalService; import com.liferay.portal.kernel.service.LayoutLocalService; import com.liferay.portal.kernel.service.ServiceContext; import com.liferay.portal.kernel.service.ServiceContextFactory; import com.liferay.portal.kernel.service.ServiceContextThreadLocal; import com.liferay.portal.kernel.service.UserLocalService; -import com.liferay.portal.kernel.service.permission.GroupPermissionUtil; import com.liferay.portal.kernel.servlet.InactiveRequestHandler; import com.liferay.portal.kernel.servlet.PortalMessages; import com.liferay.portal.kernel.servlet.ServletContextPool; @@ -118,15 +115,6 @@ public Redirect getRedirect( Group group = _getGroup(path, groupFriendlyURL, companyId); - if (group.isUser() && - !GroupPermissionUtil.contains( - PermissionCheckerFactoryUtil.create( - portal.getUser(httpServletRequest)), - group, ActionKeys.VIEW)) { - - throw new NoSuchGroupException(); - } - Locale locale = portal.getLocale(httpServletRequest, null, false); SiteFriendlyURL alternativeSiteFriendlyURL =
portal-impl/src/com/liferay/portal/events/ServicePreAction.java+1 −1 modified@@ -1090,7 +1090,7 @@ else if (!loginRequest && !_hasAccessPermission( permissionChecker, layout, false)))) { - if (user.isDefaultUser() && + if (!group.isUser() && user.isDefaultUser() && PropsValues.AUTH_LOGIN_PROMPT_ENABLED) { throw new PrincipalException.MustBeAuthenticated(
c5fa9c50514dLPS-135470 Check view permission for user group and return a generic NoSuchGroup
1 file changed · +12 −0
modules/apps/friendly-url/friendly-url-service/src/main/java/com/liferay/friendly/url/internal/servlet/FriendlyURLServlet.java+12 −0 modified@@ -35,13 +35,16 @@ import com.liferay.portal.kernel.model.User; import com.liferay.portal.kernel.model.VirtualLayoutConstants; import com.liferay.portal.kernel.portlet.LayoutFriendlyURLSeparatorComposite; +import com.liferay.portal.kernel.security.permission.ActionKeys; +import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil; import com.liferay.portal.kernel.service.GroupLocalService; import com.liferay.portal.kernel.service.LayoutFriendlyURLLocalService; import com.liferay.portal.kernel.service.LayoutLocalService; import com.liferay.portal.kernel.service.ServiceContext; import com.liferay.portal.kernel.service.ServiceContextFactory; import com.liferay.portal.kernel.service.ServiceContextThreadLocal; import com.liferay.portal.kernel.service.UserLocalService; +import com.liferay.portal.kernel.service.permission.GroupPermissionUtil; import com.liferay.portal.kernel.servlet.InactiveRequestHandler; import com.liferay.portal.kernel.servlet.PortalMessages; import com.liferay.portal.kernel.servlet.ServletContextPool; @@ -115,6 +118,15 @@ public Redirect getRedirect( Group group = _getGroup(path, groupFriendlyURL, companyId); + if (group.isUser() && + !GroupPermissionUtil.contains( + PermissionCheckerFactoryUtil.create( + portal.getUser(httpServletRequest)), + group, ActionKeys.VIEW)) { + + throw new NoSuchGroupException(); + } + Locale locale = portal.getLocale(httpServletRequest, null, false); SiteFriendlyURL alternativeSiteFriendlyURL =
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-4585-28v2-8h46ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-25150ghsaADVISORY
- github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86ghsaWEB
- github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfcghsaWEB
- github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a04ghsaWEB
- github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dcghsaWEB
- github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610dghsaWEB
- github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c0ghsaWEB
News mentions
0No linked articles in our index yet.