Home > Vulnerability Database > CVE-2024-25148

Mend.io Vulnerability Database

CVE-2024-25148

Good to know:

Date: February 7, 2024

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the "doAsUserId" URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

Language: Java

Severity Score

5.4

Related Resources (4)

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148

Url: https://github.com/liferay/liferay-portal

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-25148

Url: https://www.mend.io/vulnerability-database/CVE-2024-25148

Severity Score

5.4

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Insertion of Sensitive Information Into Sent Data

CWE-201

Top Fix

Upgrade Version

Upgrade to version com.liferay.portal:release.portal.bom:7.4.2;com.liferay.portal:release.dxp.bom:7.2.10.fp15;com.liferay.portal:release.dxp.bom:7.3.10.u4

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-25148

Good to know:

Date: February 7, 2024

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?