CVE-2024-25146

Summary

CVE-2024-25146 is a vulnerability that affects Liferay Portal versions 7.2.0 through 7.4.1, as well as older unsupported versions, and Liferay DXP versions 7.3 before service pack 3 and 7.2 before fix pack 18, along with older unsupported versions. This vulnerability allows remote attackers to determine the existence of sites by enumerating URLs, depending on whether a site does not exist or if the user does not have permission to access it. The vulnerability occurs when the configuration setting "locale.prepend.friendly.url.style" is set to "2" and a custom 404 page is used. The potential danger of this vulnerability lies in the exposure of sensitive information and the potential for unauthorized access to sites within an organization's Liferay deployment. To remediate this issue, users should upgrade to Liferay Portal version 7.4.1 or apply the necessary service packs and fix packs for Liferay DXP versions 7.3 and 7.2 respectively.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.