CVE-2024-25604 User can access and edit their own permissions

Description

Liferay Portal and Liferay DXP does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.

Severity

6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.4
  • Liferay Portal 7.3.0 through 7.3.7
  • Liferay Portal 7.2.0 and 7.2.1
  • Liferay Portal, older unsupported versions
  • Liferay DXP 7.4 GA
  • Liferay DXP 7.3 before service pack 3
  • Liferay DXP 7.2 before fix pack 17
  • Liferay DXP, older unsupported versions

Fixed Version(s)

Publication date: Tue, 20 Feb 2024 08:30:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.