CVE-2024-26270

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the users hashed password in the pages HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
LiferayCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
liferayliferay_portal
7.4.3.76 ≤
𝑥
< 7.4.3.100
liferaydigital_experience_platform
7.4:update76
liferaydigital_experience_platform
7.4:update77
liferaydigital_experience_platform
7.4:update78
liferaydigital_experience_platform
7.4:update79
liferaydigital_experience_platform
7.4:update80
liferaydigital_experience_platform
7.4:update81
liferaydigital_experience_platform
7.4:update82
liferaydigital_experience_platform
7.4:update83
liferaydigital_experience_platform
7.4:update84
liferaydigital_experience_platform
7.4:update85
liferaydigital_experience_platform
7.4:update86
liferaydigital_experience_platform
7.4:update87
liferaydigital_experience_platform
7.4:update88
liferaydigital_experience_platform
7.4:update89
liferaydigital_experience_platform
7.4:update90
liferaydigital_experience_platform
7.4:update91
liferaydigital_experience_platform
7.4:update92
liferaydigital_experience_platform
2023.q3.0:q3.0
liferaydigital_experience_platform
2023.q3.1:q3.1
liferaydigital_experience_platform
2023.q3.2:q3.2
liferaydigital_experience_platform
2023.q3.3:q3.3
liferaydigital_experience_platform
2023.q3.4:q3.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270