CVE-2024-26268 — Liferay Portal and Liferay DXP User Enumeration Vulnerability

Description

User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.

How to fix CVE-2024-26268

To remediate CVE-2024-26268, upgrade the affected package to a fixed version below.

—upgrade to 7.2.10.fp20 or later
—upgrade to 7.4.3.27-ga27 or later

Is CVE-2024-26268 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.2.10.fp20
>= 7.2.0, < 7.4.3.27-ga27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-26268
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/46db55ec21103fa39542e2cba080c4f98e3c5f93
WEBgithub.com/liferay/liferay-portal/commit/d8d0ae0178a2d902b541c80a230a2c7a5ab246e8