CVE-2024-26268

MEDIUM

Liferay Portal < 7.3.7 - Information Disclosure

Title source: rule

Description

User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268

Scores

CVSS v3 5.3

EPSS 0.0030

EPSS Percentile 53.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (5)

com.liferay.portal/release.dxp.bom 0 - 7.2.10.fp20Maven

com.liferay.portal/release.portal.bom 7.2.0 - 7.4.3.27-ga27Maven

liferay/digital_experience_platform 7.2 (27 CPE variants)

liferay/digital_experience_platform 7.3 (9 CPE variants)

liferay/digital_experience_platform 7.4 (12 CPE variants)

Published Feb 20, 2024

Tracked Since Feb 18, 2026