Moderate severityNVD Advisory· Published Feb 20, 2024· Updated Aug 16, 2024
CVE-2024-26270
CVE-2024-26270
Description
The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.76, < 7.4.3.100 | 7.4.3.100 |
com.liferay.portal:release.dxp.bomMaven | >= 2023.Q3, < 2023.Q3.5 | 2023.Q3.5 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.0, <= 7.4.13.u92 | — |
Affected products
4- ghsa-coords2 versions
>= 2023.Q3, < 2023.Q3.5+ 1 more
- (no CPE)range: >= 2023.Q3, < 2023.Q3.5
- (no CPE)range: >= 7.4.3.76, < 7.4.3.100
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-xq4r-4xfh-vch8ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-26270ghsaADVISORY
News mentions
0No linked articles in our index yet.