Description

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Remediation

References

CVE-2024-26270

Related Vulnerabilities

WordPress Plugin Survey Maker-Best WordPress Survey Unspecified Vulnerability (3.2.0)

WordPress Plugin Print My Blog-Print, PDF, & eBook Converter Cross-Site Request Forgery (3.4.1)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Information Disclosure (3.2.10)

WordPress Plugin Responsive WordPress Timeline-Everest Timeline Lite includes Backdoor [Only if downloaded via the vendor website] (1.1.1)

Joomla Deserialization of Untrusted Data Vulnerability (CVE-2019-11831)

Severity

Medium

Classification

CVE-2024-26270 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities