CVE-2024-26270 User's hashed password appears in page's HTML source

Description

The Account Settings page in Liferay Portal and Liferay DXP embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Version(s)

  • Liferay Portal 7.4.3.76 through 7.4.3.99
  • Liferay DXP 2023.Q3 before patch 5
  • Liferay DXP 7.4 update 76 through 92

Fixed Version(s)

Publication date: Tue, 20 Feb 2024 13:30:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.