Fluid Attacks Database

Description

Liferay Portal and Liferay DXP Information Disclosure Vulnerability in the Control Panel Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.2.0 <7.4.3.4-ga4	7.4.3.4-ga4
maven	com.liferay.portal:release.dxp.bom	>=0 <7.2.10.fp19 \|\| >=7.3.0 <7.3.10.u4	7.2.10.fp19, 7.3.10.u4

Aliases

1. CVE-2024-251502. NVD-2024-251503. OSV-2024-251504. GCVE-2024-25150

References

1. https://github.com/liferay/liferay-portal/commit/12844a327061ad55e560f5ab7056381e9cc05d862. https://github.com/liferay/liferay-portal/commit/8eba0b84a0967ad785d96cb09f41f3fac998dcfc3. https://github.com/liferay/liferay-portal/commit/9d7676866a77c910a7cf689e33c621666bff9a044. https://github.com/liferay/liferay-portal/commit/c5fa9c50514d2be0191cb076b8744c7a871f23dc5. https://github.com/liferay/liferay-portal/commit/eee01ec6cce3cca99c9e12fba846db1fc64d610d6. https://github.com/liferay/liferay-portal/commit/f9d6c9b9551956c6f07d4ae8998f53392e3389c07. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25150