CVE-2024-25604 MEDIUM

CVE-2024-25604

Vendor Liferay
Product Portal
Weakness CWE-863 · Incorrect authorization
Published February 20, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.

Key dates

02Disclosure timeline

February 20, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-3136 Google Cloud Build Comment Control Bypass CVE-2025-62487 Under certain configurations, file artifacts uploaded to the Dossier and Slides apps did not inherit security markings of their parent artifact. This lack of security markings could lead to unintended access to the uploaded files. CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction CVE-2024-13302 Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068 CVE-2025-4972 Incorrect Authorization in GitLab