CVE-2024-25146

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

CVSS v3.0 5.3 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146	Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform:7.2:-::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9::::::
	cpe:2.3:a:liferay:dxp:7.3:-::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16::::::
	cpe:2.3:a:liferay:dxp:7.3:sp1::::::
	cpe:2.3:a:liferay:dxp:7.3:sp2::::::
	cpe:2.3:a:liferay:liferay_portal::::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17::::::

History

13 May 2025, 18:17

Type	Values Removed	Values Added
CPE	cpe:2.3:a:liferay:dxp:7.2:fix_pack_2:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_17:::::: cpe:2.3:a:liferay:dxp:7.2:-:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_16:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_14::::::	cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:-:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:::::: cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1::::::
First Time		Liferay digital Experience Platform

15 Feb 2024, 04:37

Type	Values Removed	Values Added
First Time		Liferay Liferay dxp Liferay liferay Portal
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CWE		CWE-203
References	~~() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146 -~~	() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25146 - Vendor Advisory
CPE		cpe:2.3:a:liferay:dxp:7.2:fix_pack_6:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_15:::::: cpe:2.3:a:liferay:dxp:7.2:-:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_5:::::: cpe:2.3:a:liferay:liferay_portal:::::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_1:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_12:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_16:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_8:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_13:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_11:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_14:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_10:::::: cpe:2.3:a:liferay:dxp:7.3:-:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_3:::::: cpe:2.3:a:liferay:dxp:7.3:sp2:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_9:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_17:::::: cpe:2.3:a:liferay:dxp:7.3:sp1:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_4:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_7:::::: cpe:2.3:a:liferay:dxp:7.2:fix_pack_2::::::

08 Feb 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-08 04:15

Updated : 2025-05-13 18:17

NVD link : CVE-2024-25146

Mitre link : CVE-2024-25146

JSON object : View

Products Affected

liferay

liferay_portal
digital_experience_platform
dxp

CWE

CWE-203

Observable Discrepancy

5.3 /10