The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
References
Configurations
No configuration.
History
20 Feb 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-20 14:15
Updated : 2024-02-20 19:50
NVD link : CVE-2024-26270
Mitre link : CVE-2024-26270
CVE.ORG link : CVE-2024-26270
JSON object : View
Products Affected
No product.
CWE
CWE-201
Insertion of Sensitive Information Into Sent Data