CVE-2024-25149 Information

Description

Liferay Portal 7.2.0 through 7.4.1 and older unsupported versions and Liferay DXP 7.3 before service pack 3 7.2 before fix pack 15 and older unsupported versions does not properly restrict membership of a child site when the \Limit membership to members of the parent site\ option is enabled which allows remote authenticated users to add users who are not a member of the parent site to a child site. The added user may obtain permission to perform unauthorized actions in the child site.

Reference

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25149