CVE-2024-26270 Information

Description

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99 and Liferay DXP 2023.Q3 before patch 5 and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source which allows man-in-the-middle attackers to steal a user’s hashed password.

Reference

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270