CVE-2024-25605

Summary

CVE-2024-25605 is a vulnerability in the Journal module of Liferay Portal versions 7.2.0 through 7.4.3.4, as well as older unsupported versions, and Liferay DXP version 7.4.13, 7.3 before service pack 3, and 7.2 before fix pack 17, along with older unsupported versions. This vulnerability grants guest users the ability to view web content templates by default, allowing remote attackers to access any template through the user interface or API. The base severity of this vulnerability is rated as MEDIUM with a base score of 5.3 according to CVSS:3.1 scoring system. It does not require any privileges or user interaction to exploit and can be exploited over a network without impacting integrity or availability, while confidentiality impact is rated as LOW. Remediation for this vulnerability would involve updating Liferay Portal to version 7.4.3 GA5 or higher for the affected versions (including unsupported versions), and updating Liferay DXP to version 7.4 SP3+ or higher for the affected versions (including unsupported versions). By applying these updates, organizations can mitigate the risk posed by unauthorized access to web content templates for guest users. This vulnerability poses a potential danger to organizations using Liferay Portal or Liferay DXP, as it allows unauthorized users to view sensitive web content templates that they should not have access to. This could lead to information disclosure and compromise the confidentiality of sensitive data stored within these templates. Organizations should promptly address this vulnerability through the recommended updates to protect their data and prevent unauthorized access.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.