CVE-2024-25605 — Liferay Portal and Liferay DXP Allows Templates to be Viewed via the UI or API

Description

The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.

How to fix CVE-2024-25605

To remediate CVE-2024-25605, upgrade the affected package to a fixed version below.

—upgrade to 7.2.10.fp17 or later
—upgrade to 7.4.3.5-ga5 or later

Is CVE-2024-25605 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.2.10.fp17
>= 7.2.0, < 7.4.3.5-ga5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25605
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/45ffb97de7ac475335215f2b6e86ebe1e7283ab4
WEBgithub.com/liferay/liferay-portal/commit/5eb426ecc49e036ad566e829b8a2132104f7130e