The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Liferay
Published: 2024-02-20T13:43:46.074Z
Updated: 2024-08-16T19:55:12.801Z
Reserved: 2024-02-15T07:44:36.776Z
Link: CVE-2024-26270
Vulnrichment
Updated: 2024-08-02T00:07:19.056Z
NVD
Status : Awaiting Analysis
Published: 2024-02-20T14:15:09.530
Modified: 2024-11-21T09:02:16.553
Link: CVE-2024-26270
Redhat
No data.