CVE-2024-26270

MEDIUM

Liferay Portal/DXP - Info Disclosure

Title source: llm

Description

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270

Scores

CVSS v3 6.5

EPSS 0.0018

EPSS Percentile 39.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-201

Status published

Affected Products (25)

liferay/liferay_portal < 7.4.3.100

liferay/digital_experience_platform

... and 10 more

Timeline

Published Feb 20, 2024

Tracked Since Feb 18, 2026