CVE-2024-26270 | ByteOS Network

Vulnerability Details :

CVE-2024-26270

Assigner-Liferay

Assigner Org ID-8b54e794-c6f0-462e-9faa-c1001a673ac3

Published At-20 Feb, 2024 | 13:43

Updated At-16 Aug, 2024 | 19:55

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:Liferay

Assigner Org ID:8b54e794-c6f0-462e-9faa-c1001a673ac3

Published At:20 Feb, 2024 | 13:43

Updated At:16 Aug, 2024 | 19:55

▼CVE Numbering Authority (CNA)

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Affected Products

Vendor

Product

Default Status

unaffected

Versions

Affected

From 7.4.3.76 through 7.4.3.99 (maven)

Vendor

Product

Default Status

unaffected

Versions

Affected

From 2023.q3.1 through 2023.q3.4 (maven)
From 7.4.13.u76 through 7.4.13.u92 (maven)

Problem Types

Type	CWE ID	Description
CWE	CWE-201	CWE-201 Insertion of Sensitive Information Into Sent Data

Type: CWE

CWE ID: CWE-201

Description: CWE-201 Insertion of Sensitive Information Into Sent Data

Metrics

Version	Base score	Base severity	Vector
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Hyperlink	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270	vendor-advisory

Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270	vendor-advisory x_transferred

Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Resource:

vendor-advisory

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:security@liferay.com

Published At:20 Feb, 2024 | 14:15

Updated At:28 Jan, 2025 | 21:25

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Type: Primary

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CPE Matches

>>liferay_portal>>Versions from 7.4.3.76(inclusive) to 7.4.3.100(exclusive)

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*

>>digital_experience_platform>>7.4

cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*

>>digital_experience_platform>>2023.q3.0

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*

>>digital_experience_platform>>2023.q3.1

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*

>>digital_experience_platform>>2023.q3.2

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*

>>digital_experience_platform>>2023.q3.3

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*

>>digital_experience_platform>>2023.q3.4

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-201	Secondary	security@liferay.com
NVD-CWE-Other	Primary	nvd@nist.gov

CWE ID: CWE-201

Type: Secondary

Source: security@liferay.com

CWE ID: NVD-CWE-Other

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270	security@liferay.com	Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270	af854a3a-2127-422b-91ae-364da2661108	Vendor Advisory

Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Source: security@liferay.com

Resource:

Vendor Advisory

Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Vendor Advisory