CVE-2024-26267

MEDIUM

Liferay Portal <7.4.3.25, Liferay DXP <7.4 - Info Disclosure

Title source: llm

Description

In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267

Scores

CVSS v3 5.3

EPSS 0.0022

EPSS Percentile 44.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1188

Status published

Products (5)

com.liferay.portal/release.dxp.bom 0 - 7.2.10.fp19Maven

com.liferay.portal/release.portal.bom 7.2.0 - 7.4.3.26-ga26Maven

liferay/digital_experience_platform 7.2 (25 CPE variants)

liferay/digital_experience_platform 7.3 (6 CPE variants)

liferay/digital_experience_platform 7.4 (17 CPE variants)

Published Feb 20, 2024

Tracked Since Feb 18, 2026