CVE-2024-25148
Published Feb 8, 2024
Last updated a month ago
Overview
- Description
- In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.
- Source
- security@liferay.com
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
- security@liferay.com
- CWE-201
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8CAAE1B7-982E-4D50-9651-DEEE6CD74EED"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "AFCF99EC-3384-418D-A419-B9DB607BE371"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F7CAAF53-AA8E-48CB-9398-35461BE590C4"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6FB8482E-644B-4DA5-808B-8DBEAB6D8D09"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "95EFE8B5-EE95-4186-AC89-E9AFD8649D01"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "90A6E0AF-0B8A-462D-95EF-2239EEE4A50D"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "48BBAE90-F668-49BF-89AF-2C9547B76836"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "31E05134-A0C5-4937-A228-7D0884276B67"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3F06C4AD-FD20-4345-8386-0895312F0A00"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "98CC25E2-EC3D-43A2-8D03-06F0E804EA63"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "30933C36-C710-488F-9601-EE1BB749C58A"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "41E94372-A1AE-48B1-82DC-08B7B616473F"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "51FBC8E0-34F8-475C-A1A8-571791CA05F9"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1E73EAEA-FA88-46B9-B9D5-A41603957AD7"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CF9BC654-4E3F-4B40-A6E5-79A818A51BED"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "21C55D41-DB66-494D-BEEB-BDAC7CB4B31B"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9D75A0FF-BAEA-471A-87B2-8EC2A9F0A6B5"
},
{
"criteria": "cpe:2.3:a:liferay:dxp:7.3:sp2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D86CDCC0-9655-477B-83FA-ADDBB5AF43A2"
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F247D45A-D3E4-4EDD-A18D-147FFBEF0935",
"versionEndIncluding": "7.4.1",
"versionStartIncluding": "7.2.0"
}
],
"operator": "OR"
}
]
}
]