Description
User enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine if an account exist in the application by comparing the request's response time.
Severity
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Version(s)
- Liferay Portal 7.4.0 through 7.4.3.26
- Liferay Portal 7.3.0 through 7.3.7
- Liferay Portal 7.2.0 and 7.2.1
- Liferay Portal, older unsupported versions
- Liferay DXP 7.4 before update 27
- Liferay DXP 7.3 before update 8
- Liferay DXP 7.2 before fix pack 20
- Liferay DXP, older unsupported versions
Fixed Version(s)
- Liferay Portal 7.4.3.27
- Liferay DXP 7.4 update 27
- Liferay DXP 7.3 update 8
- Liferay DXP 7.2 fix pack 20
Acknowledgments
This issue was reported by Barnabás Horváth (T4r0)
Publication date: Tue, 20 Feb 2024 13:10:00 +0000