CVE-2024-25146

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Feb 8, 2024
Updated: Feb 15, 2024
CWE ID 203
CWE ID 204

Summary

CVE-2024-25146 is a vulnerability that affects Liferay Portal versions 7.2.0 through 7.4.1, as well as older unsupported versions, and Liferay DXP versions 7.3 before service pack 3 and 7.2 before fix pack 18, along with older unsupported versions. This vulnerability allows remote attackers to determine the existence of sites by enumerating URLs, depending on whether a site does not exist or if the user does not have permission to access it. The vulnerability occurs when the configuration setting "locale.prepend.friendly.url.style" is set to "2" and a custom 404 page is used. The potential danger of this vulnerability lies in the exposure of sensitive information and the potential for unauthorized access to sites within an organization's Liferay deployment. To remediate this issue, users should upgrade to Liferay Portal version 7.4.1 or apply the necessary service packs and fix packs for Liferay DXP versions 7.3 and 7.2 respectively.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-25146 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options