CVE-2024-26268
First published: Tue Feb 20 2024(Updated: )
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
Credit: security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Liferay 7.4 GA | >=7.2.0<7.4.3.26 | |
| Liferay DXP | <7.4.27<7.3.8<7.2.20 | |
| Liferay 7.4 GA | <=7.3.7 | |
| Liferay 7.4 GA | >=7.4.0<7.4.3.27 | |
| Liferay DXP | <7.2 | |
| Liferay DXP | =7.2 | |
| Liferay DXP | =7.2-fix_pack_1 | |
| Liferay DXP | =7.2-fix_pack_10 | |
| Liferay DXP | =7.2-fix_pack_11 | |
| Liferay DXP | =7.2-fix_pack_12 | |
| Liferay DXP | =7.2-fix_pack_13 | |
| Liferay DXP | =7.2-fix_pack_14 | |
| Liferay DXP | =7.2-fix_pack_15 | |
| Liferay DXP | =7.2-fix_pack_16 | |
| Liferay DXP | =7.2-fix_pack_17 | |
| Liferay DXP | =7.2-fix_pack_18 | |
| Liferay DXP | =7.2-fix_pack_19 | |
| Liferay DXP | =7.2-fix_pack_2 | |
| Liferay DXP | =7.2-fix_pack_3 | |
| Liferay DXP | =7.2-fix_pack_4 | |
| Liferay DXP | =7.2-fix_pack_5 | |
| Liferay DXP | =7.2-fix_pack_6 | |
| Liferay DXP | =7.2-fix_pack_7 | |
| Liferay DXP | =7.2-fix_pack_8 | |
| Liferay DXP | =7.2-fix_pack_9 | |
| Liferay DXP | =7.2-service_pack_1 | |
| Liferay DXP | =7.2-service_pack_2 | |
| Liferay DXP | =7.2-service_pack_3 | |
| Liferay DXP | =7.2-service_pack_4 | |
| Liferay DXP | =7.2-service_pack_5 | |
| Liferay DXP | =7.2-service_pack_6 | |
| Liferay DXP | =7.2-service_pack_7 | |
| Liferay DXP | =7.3 | |
| Liferay DXP | =7.3-fix_pack_1 | |
| Liferay DXP | =7.3-fix_pack_2 | |
| Liferay DXP | =7.3-service_pack_1 | |
| Liferay DXP | =7.3-service_pack_3 | |
| Liferay DXP | =7.3-update4 | |
| Liferay DXP | =7.3-update5 | |
| Liferay DXP | =7.3-update6 | |
| Liferay DXP | =7.3-update7 | |
| Liferay DXP | =7.4 | |
| Liferay DXP | =7.4-update1 | |
| Liferay DXP | =7.4-update10 | |
| Liferay DXP | =7.4-update11 | |
| Liferay DXP | =7.4-update12 | |
| Liferay DXP | =7.4-update13 | |
| Liferay DXP | =7.4-update14 | |
| Liferay DXP | =7.4-update15 | |
| Liferay DXP | =7.4-update16 | |
| Liferay DXP | =7.4-update17 | |
| Liferay DXP | =7.4-update18 | |
| Liferay DXP | =7.4-update19 | |
| Liferay DXP | =7.4-update2 | |
| Liferay DXP | =7.4-update20 | |
| Liferay DXP | =7.4-update21 | |
| Liferay DXP | =7.4-update22 | |
| Liferay DXP | =7.4-update23 | |
| Liferay DXP | =7.4-update24 | |
| Liferay DXP | =7.4-update25 | |
| Liferay DXP | =7.4-update26 | |
| Liferay DXP | =7.4-update3 | |
| Liferay DXP | =7.4-update4 | |
| Liferay DXP | =7.4-update5 | |
| Liferay DXP | =7.4-update6 | |
| Liferay DXP | =7.4-update7 | |
| Liferay DXP | =7.4-update8 | |
| Liferay DXP | =7.4-update9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-26268?
CVE-2024-26268 has been classified as a medium severity vulnerability.
How do I fix CVE-2024-26268?
To fix CVE-2024-26268, upgrade Liferay Portal to version 7.4.3.27 or later, or update Liferay DXP to the appropriate versions mentioned in the vulnerability description.
What affected versions are impacted by CVE-2024-26268?
CVE-2024-26268 affects Liferay Portal versions 7.2.0 through 7.4.3.26, and Liferay DXP versions prior to updates 27, 8, and 20 respectively.
What is a user enumeration vulnerability like CVE-2024-26268?
A user enumeration vulnerability allows attackers to determine the existence of user accounts in the application, potentially leading to targeted attacks.
Are older unsupported versions of Liferay also vulnerable to CVE-2024-26268?
Yes, older unsupported versions of Liferay are also vulnerable to CVE-2024-26268.
- agent/weakness
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- vendor/liferay
- canonical/liferay 7.4 ga
- canonical/liferay dxp
- version/liferay 7.4 ga/7.3.7
- version/liferay 7.4 ga/7.4.0
- version/liferay dxp/7.2
- version/liferay dxp/7.2-fix_pack_1
- version/liferay dxp/7.2-fix_pack_10
- version/liferay dxp/7.2-fix_pack_11
- version/liferay dxp/7.2-fix_pack_12
- version/liferay dxp/7.2-fix_pack_13
- version/liferay dxp/7.2-fix_pack_14
- version/liferay dxp/7.2-fix_pack_15
- version/liferay dxp/7.2-fix_pack_16
- version/liferay dxp/7.2-fix_pack_17
- version/liferay dxp/7.2-fix_pack_18
- version/liferay dxp/7.2-fix_pack_19
- version/liferay dxp/7.2-fix_pack_2
- version/liferay dxp/7.2-fix_pack_3
- version/liferay dxp/7.2-fix_pack_4
- version/liferay dxp/7.2-fix_pack_5
- version/liferay dxp/7.2-fix_pack_6
- version/liferay dxp/7.2-fix_pack_7
- version/liferay dxp/7.2-fix_pack_8
- version/liferay dxp/7.2-fix_pack_9
- version/liferay dxp/7.2-service_pack_1
- version/liferay dxp/7.2-service_pack_2
- version/liferay dxp/7.2-service_pack_3
- version/liferay dxp/7.2-service_pack_4
- version/liferay dxp/7.2-service_pack_5
- version/liferay dxp/7.2-service_pack_6
- version/liferay dxp/7.2-service_pack_7
- version/liferay dxp/7.3
- version/liferay dxp/7.3-fix_pack_1
- version/liferay dxp/7.3-fix_pack_2
- version/liferay dxp/7.3-service_pack_1
- version/liferay dxp/7.3-service_pack_3
- version/liferay dxp/7.3-update4
- version/liferay dxp/7.3-update5
- version/liferay dxp/7.3-update6
- version/liferay dxp/7.3-update7
- version/liferay dxp/7.4
- version/liferay dxp/7.4-update1
- version/liferay dxp/7.4-update10
- version/liferay dxp/7.4-update11
- version/liferay dxp/7.4-update12
- version/liferay dxp/7.4-update13
- version/liferay dxp/7.4-update14
- version/liferay dxp/7.4-update15
- version/liferay dxp/7.4-update16
- version/liferay dxp/7.4-update17
- version/liferay dxp/7.4-update18
- version/liferay dxp/7.4-update19
- version/liferay dxp/7.4-update2
- version/liferay dxp/7.4-update20
- version/liferay dxp/7.4-update21
- version/liferay dxp/7.4-update22
- version/liferay dxp/7.4-update23
- version/liferay dxp/7.4-update24
- version/liferay dxp/7.4-update25
- version/liferay dxp/7.4-update26
- version/liferay dxp/7.4-update3
- version/liferay dxp/7.4-update4
- version/liferay dxp/7.4-update5
- version/liferay dxp/7.4-update6
- version/liferay dxp/7.4-update7
- version/liferay dxp/7.4-update8
- version/liferay dxp/7.4-update9