CVE-2024-25605
Description
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.0, < 7.4.3.5-ga5 | 7.4.3.5-ga5 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp17 | 7.2.10.fp17 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
245ffb97de7acLPS-141405 Don't grant VIEW access on information template creation to Guest and Site Member roles.
1 file changed · +0 −3
modules/apps/template/template-web/src/main/java/com/liferay/template/web/internal/portlet/action/AddTemplateEntryMVCActionCommand.java+0 −3 modified@@ -92,9 +92,6 @@ protected void doTransactionalCommand( ServiceContext serviceContext = ServiceContextFactory.getInstance( DDMTemplate.class.getName(), actionRequest); - serviceContext.setAddGroupPermissions(true); - serviceContext.setAddGuestPermissions(true); - try { DDMTemplate ddmTemplate = _ddmTemplateLocalService.addTemplate( themeDisplay.getUserId(), serviceContext.getScopeGroupId(),
5eb426ecc49eLPS-141405 Don't grant VIEW access on journal DDMTemplate creation to Guest and Site Member roles.
1 file changed · +0 −3
modules/apps/journal/journal-web/src/main/java/com/liferay/journal/web/internal/portlet/action/AddDDMTemplateMVCActionCommand.java+0 −3 modified@@ -98,9 +98,6 @@ else if (Objects.equals(smallImageSource, "file")) { ServiceContext serviceContext = ServiceContextFactory.getInstance( DDMTemplate.class.getName(), uploadPortletRequest); - serviceContext.setAddGroupPermissions(true); - serviceContext.setAddGuestPermissions(true); - DDMTemplate ddmTemplate = _ddmTemplateService.addTemplate( groupId, _portal.getClassNameId(DDMStructure.class), classPK, _portal.getClassNameId(JournalArticle.class), templateKey, nameMap,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mf8h-grfg-j9j3ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-25605ghsaADVISORY
- github.com/liferay/liferay-portal/commit/45ffb97de7ac475335215f2b6e86ebe1e7283ab4ghsaWEB
- github.com/liferay/liferay-portal/commit/5eb426ecc49e036ad566e829b8a2132104f7130eghsaWEB
News mentions
0No linked articles in our index yet.