CVE-2024-25150 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=0 <7.2.10.fp19 || >=7.3.0 <7.3.10.u4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00237 pctl0.46704

Details

Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.

Metadata

Created: 2024-02-20T09:30:31Z
Modified: 2025-07-29T12:29:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4585-28v2-8h46/GHSA-4585-28v2-8h46.json
CWE IDs: ["CWE-201"]
Alternative ID: GHSA-4585-28v2-8h46
Finding: F037
Auto approve: 1