Description
The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
Remediation
References
Related Vulnerabilities
WordPress Plugin Analyticator PHP Object Injection (6.5.5)
Jetty Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-8184)
WordPress Plugin ManageWP Worker Unspecified Vulnerability (4.1.7)
MediaWiki Uncontrolled Resource Consumption Vulnerability (CVE-2022-39194)
MediaWiki Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-1190)