CVE-2024-26270: Liferay Portal and Liferay DXP vulnerable to theft of hashed password

February 20, 2024 (updated January 28, 2025)

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user’s hashed password.

References

github.com/advisories/GHSA-xq4r-4xfh-vch8
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270
nvd.nist.gov/vuln/detail/CVE-2024-26270

Detect and mitigate CVE-2024-26270 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →