Description
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25605
Scores
CVSS v3
5.3
EPSS
0.0019
EPSS Percentile
40.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-276
Status
published
Products (7)
com.liferay.portal/release.dxp.bom
0 - 7.2.10.fp17Maven
com.liferay.portal/release.portal.bom
7.2.0 - 7.4.3.5-ga5Maven
liferay/digital_experience_platform
7.2 (22 CPE variants)
liferay/digital_experience_platform
7.3 (4 CPE variants)
liferay/digital_experience_platform
7.4
liferay/digital_experience_platform
< 7.2
liferay/liferay_portal
< 7.4.3.5
Published
Feb 20, 2024
Tracked Since
Feb 18, 2026