CVE-2024-25604
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.
Liferay Portal 7.2.0 a 7.4.3.4 y versiones anteriores no compatibles, y Liferay DXP 7.4.13, 7.3 anterior al service pack 3, 7.2 anterior al fix pack 17 y versiones anteriores no compatibles no comprueban correctamente los permisos de usuario, lo que permite a los usuarios autenticados remotamente con el permiso de usuario VER para editar su propio permiso a través de la sección Usuarios y organizaciones del Panel de control.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-08 CVE Reserved
- 2024-02-20 CVE Published
- 2024-02-21 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Liferay Search vendor "Liferay" | Portal Search vendor "Liferay" for product "Portal" | >= 7.2.0.0 <= 7.4.3.4 Search vendor "Liferay" for product "Portal" and version " >= 7.2.0.0 <= 7.4.3.4" | en |
Affected
| ||||||
| Liferay Search vendor "Liferay" | DXP Search vendor "Liferay" for product "DXP" | 7.4.13 Search vendor "Liferay" for product "DXP" and version "7.4.13" | en |
Affected
| ||||||