In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Liferay
Published: 2024-02-08T03:43:14.148Z
Updated: 2024-08-21T17:33:47.793Z
Reserved: 2024-02-06T10:32:42.567Z
Link: CVE-2024-25148
Vulnrichment
Updated: 2024-08-01T23:36:21.792Z
NVD
Status : Analyzed
Published: 2024-02-08T04:15:08.240
Modified: 2024-02-15T04:37:31.957
Link: CVE-2024-25148
Redhat
No data.