6.5

CVE-2024-26270 User`s hashed password appears in page`s HTML source

Description

The Account Settings page in Liferay Portal and Liferay DXP embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Version(s)

  • Liferay Portal 7.4.3.76 through 7.4.3.99
  • Liferay DXP 2023.Q3 before patch 5
  • Liferay DXP 7.4 update 76 through 92

Fixed Version(s)

Publication Date: 

February 20, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!