CVE-2024-26268 User enumeration vulnerability by comparing login response time

Description

User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application by comparing the request's response time.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.26
  • Liferay Portal 7.3.0 through 7.3.7
  • Liferay Portal 7.2.0 and 7.2.1
  • Liferay Portal, older unsupported versions
  • Liferay DXP 7.4 before update 27
  • Liferay DXP 7.3 before update 8
  • Liferay DXP 7.2 before fix pack 20
  • Liferay DXP, older unsupported versions

Fixed Version(s)

Acknowledgments

This issue was reported by Barnabás Horváth (T4r0)

Publication date: Tue, 20 Feb 2024 13:10:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.