Fluid Attacks Database

Description

Liferay Portal vulnerable to user impersonation In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the doAsUserId URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.2.0 <7.4.2	7.4.2
maven	com.liferay.portal:release.dxp.bom	>=7.2.0 <7.2.10.fp15 \|\| >=7.3.0 <7.3.10.u4	7.2.10.fp15, 7.3.10.u4

Aliases

1. CVE-2024-251482. NVD-2024-251483. OSV-2024-251484. GCVE-2024-25148

References

1. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.