What is the severity of CVE-2024-26268?

CVE-2024-26268 has been classified as a medium severity vulnerability.

How do I fix CVE-2024-26268?

To fix CVE-2024-26268, upgrade Liferay Portal to version 7.4.3.27 or later, or update Liferay DXP to the appropriate versions mentioned in the vulnerability description.

What affected versions are impacted by CVE-2024-26268?

CVE-2024-26268 affects Liferay Portal versions 7.2.0 through 7.4.3.26, and Liferay DXP versions prior to updates 27, 8, and 20 respectively.

What is a user enumeration vulnerability like CVE-2024-26268?

A user enumeration vulnerability allows attackers to determine the existence of user accounts in the application, potentially leading to targeted attacks.

Are older unsupported versions of Liferay also vulnerable to CVE-2024-26268?

Yes, older unsupported versions of Liferay are also vulnerable to CVE-2024-26268.

Vulnerability/
CVE-2024-26268

medium

5.3

CWE

203

EPSS

0.043%

20/2/2024

28/1/2025

CVE-2024-26268

First published: Tue Feb 20 2024(Updated: )

User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.

Credit: security@liferay.com

Affected Software	Affected Version	How to fix
Liferay 7.4 GA	>=7.2.0<7.4.3.26
Liferay DXP	<7.4.27<7.3.8<7.2.20
Liferay 7.4 GA	<=7.3.7
Liferay 7.4 GA	>=7.4.0<7.4.3.27
Liferay 7.4 GA	<7.2
Liferay 7.4 GA	=7.2
Liferay 7.4 GA	=7.2-fix_pack_1
Liferay 7.4 GA	=7.2-fix_pack_10
Liferay 7.4 GA	=7.2-fix_pack_11
Liferay 7.4 GA	=7.2-fix_pack_12
Liferay 7.4 GA	=7.2-fix_pack_13
Liferay 7.4 GA	=7.2-fix_pack_14
Liferay 7.4 GA	=7.2-fix_pack_15
Liferay 7.4 GA	=7.2-fix_pack_16
Liferay 7.4 GA	=7.2-fix_pack_17
Liferay 7.4 GA	=7.2-fix_pack_18
Liferay 7.4 GA	=7.2-fix_pack_19
Liferay 7.4 GA	=7.2-fix_pack_2
Liferay 7.4 GA	=7.2-fix_pack_3
Liferay 7.4 GA	=7.2-fix_pack_4
Liferay 7.4 GA	=7.2-fix_pack_5
Liferay 7.4 GA	=7.2-fix_pack_6
Liferay 7.4 GA	=7.2-fix_pack_7
Liferay 7.4 GA	=7.2-fix_pack_8
Liferay 7.4 GA	=7.2-fix_pack_9
Liferay 7.4 GA	=7.2-service_pack_1
Liferay 7.4 GA	=7.2-service_pack_2
Liferay 7.4 GA	=7.2-service_pack_3
Liferay 7.4 GA	=7.2-service_pack_4
Liferay 7.4 GA	=7.2-service_pack_5
Liferay 7.4 GA	=7.2-service_pack_6
Liferay 7.4 GA	=7.2-service_pack_7
Liferay 7.4 GA	=7.3
Liferay 7.4 GA	=7.3-fix_pack_1
Liferay 7.4 GA	=7.3-fix_pack_2
Liferay 7.4 GA	=7.3-service_pack_1
Liferay 7.4 GA	=7.3-service_pack_3
Liferay 7.4 GA	=7.3-update4
Liferay 7.4 GA	=7.3-update5
Liferay 7.4 GA	=7.3-update6
Liferay 7.4 GA	=7.3-update7
Liferay 7.4 GA	=7.4
Liferay 7.4 GA	=7.4-update1
Liferay 7.4 GA	=7.4-update10
Liferay 7.4 GA	=7.4-update11
Liferay 7.4 GA	=7.4-update12
Liferay 7.4 GA	=7.4-update13
Liferay 7.4 GA	=7.4-update14
Liferay 7.4 GA	=7.4-update15
Liferay 7.4 GA	=7.4-update16
Liferay 7.4 GA	=7.4-update17
Liferay 7.4 GA	=7.4-update18
Liferay 7.4 GA	=7.4-update19
Liferay 7.4 GA	=7.4-update2
Liferay 7.4 GA	=7.4-update20
Liferay 7.4 GA	=7.4-update21
Liferay 7.4 GA	=7.4-update22
Liferay 7.4 GA	=7.4-update23
Liferay 7.4 GA	=7.4-update24
Liferay 7.4 GA	=7.4-update25
Liferay 7.4 GA	=7.4-update26
Liferay 7.4 GA	=7.4-update3
Liferay 7.4 GA	=7.4-update4
Liferay 7.4 GA	=7.4-update5
Liferay 7.4 GA	=7.4-update6
Liferay 7.4 GA	=7.4-update7
Liferay 7.4 GA	=7.4-update8
Liferay 7.4 GA	=7.4-update9

Never miss a vulnerability like this again

Reference Links

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268

Frequently Asked Questions

What is the severity of CVE-2024-26268?
CVE-2024-26268 has been classified as a medium severity vulnerability.
How do I fix CVE-2024-26268?
To fix CVE-2024-26268, upgrade Liferay Portal to version 7.4.3.27 or later, or update Liferay DXP to the appropriate versions mentioned in the vulnerability description.
What affected versions are impacted by CVE-2024-26268?
CVE-2024-26268 affects Liferay Portal versions 7.2.0 through 7.4.3.26, and Liferay DXP versions prior to updates 27, 8, and 20 respectively.
What is a user enumeration vulnerability like CVE-2024-26268?
A user enumeration vulnerability allows attackers to determine the existence of user accounts in the application, potentially leading to targeted attacks.
Are older unsupported versions of Liferay also vulnerable to CVE-2024-26268?
Yes, older unsupported versions of Liferay are also vulnerable to CVE-2024-26268.

agent/weakness
agent/references
agent/type
agent/first-publish-date
agent/description
agent/author
agent/severity
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/source
agent/last-modified-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
agent/tags
collector/nvd-api
source/NVD
vendor/liferay
canonical/liferay 7.4 ga
canonical/liferay dxp
version/liferay 7.4 ga/7.3.7
version/liferay 7.4 ga/7.4.0
version/liferay 7.4 ga/7.2
version/liferay 7.4 ga/7.2-fix_pack_1
version/liferay 7.4 ga/7.2-fix_pack_10
version/liferay 7.4 ga/7.2-fix_pack_11
version/liferay 7.4 ga/7.2-fix_pack_12
version/liferay 7.4 ga/7.2-fix_pack_13
version/liferay 7.4 ga/7.2-fix_pack_14
version/liferay 7.4 ga/7.2-fix_pack_15
version/liferay 7.4 ga/7.2-fix_pack_16
version/liferay 7.4 ga/7.2-fix_pack_17
version/liferay 7.4 ga/7.2-fix_pack_18
version/liferay 7.4 ga/7.2-fix_pack_19
version/liferay 7.4 ga/7.2-fix_pack_2
version/liferay 7.4 ga/7.2-fix_pack_3
version/liferay 7.4 ga/7.2-fix_pack_4
version/liferay 7.4 ga/7.2-fix_pack_5
version/liferay 7.4 ga/7.2-fix_pack_6
version/liferay 7.4 ga/7.2-fix_pack_7
version/liferay 7.4 ga/7.2-fix_pack_8
version/liferay 7.4 ga/7.2-fix_pack_9
version/liferay 7.4 ga/7.2-service_pack_1
version/liferay 7.4 ga/7.2-service_pack_2
version/liferay 7.4 ga/7.2-service_pack_3
version/liferay 7.4 ga/7.2-service_pack_4
version/liferay 7.4 ga/7.2-service_pack_5
version/liferay 7.4 ga/7.2-service_pack_6
version/liferay 7.4 ga/7.2-service_pack_7
version/liferay 7.4 ga/7.3
version/liferay 7.4 ga/7.3-fix_pack_1
version/liferay 7.4 ga/7.3-fix_pack_2
version/liferay 7.4 ga/7.3-service_pack_1
version/liferay 7.4 ga/7.3-service_pack_3
version/liferay 7.4 ga/7.3-update4
version/liferay 7.4 ga/7.3-update5
version/liferay 7.4 ga/7.3-update6
version/liferay 7.4 ga/7.3-update7
version/liferay 7.4 ga/7.4
version/liferay 7.4 ga/7.4-update1
version/liferay 7.4 ga/7.4-update10
version/liferay 7.4 ga/7.4-update11
version/liferay 7.4 ga/7.4-update12
version/liferay 7.4 ga/7.4-update13
version/liferay 7.4 ga/7.4-update14
version/liferay 7.4 ga/7.4-update15
version/liferay 7.4 ga/7.4-update16
version/liferay 7.4 ga/7.4-update17
version/liferay 7.4 ga/7.4-update18
version/liferay 7.4 ga/7.4-update19
version/liferay 7.4 ga/7.4-update2
version/liferay 7.4 ga/7.4-update20
version/liferay 7.4 ga/7.4-update21
version/liferay 7.4 ga/7.4-update22
version/liferay 7.4 ga/7.4-update23
version/liferay 7.4 ga/7.4-update24
version/liferay 7.4 ga/7.4-update25
version/liferay 7.4 ga/7.4-update26
version/liferay 7.4 ga/7.4-update3
version/liferay 7.4 ga/7.4-update4
version/liferay 7.4 ga/7.4-update5
version/liferay 7.4 ga/7.4-update6
version/liferay 7.4 ga/7.4-update7
version/liferay 7.4 ga/7.4-update8
version/liferay 7.4 ga/7.4-update9