CVE-2024-25146
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2024-25146 is a vulnerability that affects Liferay Portal versions 7.2.0 through 7.4.1, as well as older unsupported versions, and Liferay DXP versions 7.3 before service pack 3 and 7.2 before fix pack 18, along with older unsupported versions. This vulnerability allows remote attackers to determine the existence of sites by enumerating URLs, depending on whether a site does not exist or if the user does not have permission to access it. The vulnerability occurs when the configuration setting "locale.prepend.friendly.url.style" is set to "2" and a custom 404 page is used. The potential danger of this vulnerability lies in the exposure of sensitive information and the potential for unauthorized access to sites within an organization's Liferay deployment. To remediate this issue, users should upgrade to Liferay Portal version 7.4.1 or apply the necessary service packs and fix packs for Liferay DXP versions 7.3 and 7.2 respectively.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions