CVE-2024-25150 — Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Contr

Description

Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.

How to fix CVE-2024-25150

To remediate CVE-2024-25150, upgrade the affected package to a fixed version below.

—upgrade to 7.2.10.fp19 or later
—upgrade to 7.4.3.4-ga4 or later

Is CVE-2024-25150 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.2.10.fp19
>= 7.2.0, < 7.4.3.4-ga4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25150
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d86
WEBgithub.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc