The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Liferay

Published: 2024-02-20T13:43:46.074Z

Updated: 2024-08-16T19:55:12.801Z

Reserved: 2024-02-15T07:44:36.776Z

Link: CVE-2024-26270

cve-icon Vulnrichment

Updated: 2024-08-02T00:07:19.056Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-02-20T14:15:09.530

Modified: 2024-11-21T09:02:16.553

Link: CVE-2024-26270

cve-icon Redhat

No data.