Liferay Portal allows attackers to discover the existence of sites

2024-02-0806:30:23

CWE-203

CWE-204

GitHub Advisory Database

github.com

liferay portal

attackers

site existence

remote

vulnerability

urls

enumeration

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

Affected configurations

Vulners

Node

com.liferay.portal\Matchrelease.dxp.bom

com.liferay.portal\Matchrelease.portal.bom

CPENameOperatorVersion
com.liferay.portal:release.dxp.bomlt7.2.10.fp18
com.liferay.portal:release.dxp.bomlt7.3.10.u4
com.liferay.portal:release.portal.bomlt7.4.2