Security Listings

6.5

CVE-2024-26270 User's hashed password appears in page's HTML source

Description

The Account Settings page in Liferay Portal and Liferay DXP embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Version(s)

Liferay Portal 7.4.3.76 through 7.4.3.99
Liferay DXP 2023.Q3 before patch 5
Liferay DXP 7.4 update 76 through 92

Fixed Version(s)

Liferay Portal 7.4.3.100
Liferay DXP 2023.Q3.5

CVE-2024-26270

Publication Date:

二月 20, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback