Description

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.

Remediation

References

CVE-2024-26270

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-7868)

Jboss EAP Out-of-bounds Read Vulnerability (CVE-2019-0210)

TYPO3 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2010-5102)

WordPress Plugin Survey Maker-Best WordPress Survey SQL Injection (3.1.1)

Django Improper Input Validation Vulnerability (CVE-2010-4535)

Severity

Medium

Classification

CVE-2024-26270 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities