CVE-2024-25604 — Liferay Portal and Liferay DXP Allows Authenticated Users with View Permissions

Description

Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.

How to fix CVE-2024-25604

To remediate CVE-2024-25604, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 7.4.3.5-ga5 or later

Is CVE-2024-25604 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.2.0, < 7.4.3.5-ga5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25604
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/4a196df20e180be76944cd0c623df486379d7724
WEBgithub.com/liferay/liferay-portal/commit/f028316fa975d2e13bed7ef49d69ab77f412765e