{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26268", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "state": "PUBLISHED", "assignerShortName": "Liferay", "dateReserved": "2024-02-15T07:44:36.776Z", "datePublished": "2024-02-20T13:17:28.137Z", "dateUpdated": "2024-08-15T17:50:15.783Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Portal", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.4.3.26", "status": "affected", "version": "7.2.0", "versionType": "maven"}]}, {"defaultStatus": "unknown", "product": "DXP", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.4.13.u26", "status": "affected", "version": "7.4.13", "versionType": "maven"}, {"lessThanOrEqual": "7.3.10.u7", "status": "affected", "version": "7.3.10", "versionType": "maven"}, {"lessThanOrEqual": "7.2.10-dxp-19", "status": "affected", "version": "7.2.10", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Barnab\u00e1s Horv\u00e1th (T4r0)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time."}], "value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2024-02-21T03:50:53.570Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.174Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"}]}, {"affected": [{"vendor": "liferay", "product": "liferay_enterprise_portal", "cpes": ["cpe:2.3:a:liferay:liferay_enterprise_portal:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.2.0", "status": "affected", "lessThanOrEqual": "7.4.3.26", "versionType": "custom"}]}, {"vendor": "ibexa", "product": "digital_experience_platform", "cpes": ["cpe:2.3:a:ibexa:digital_experience_platform:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.4.13", "status": "affected", "lessThanOrEqual": "7.4.13.u26", "versionType": "custom"}, {"version": "7.3.10", "status": "affected", "lessThanOrEqual": "7.3.10.u7", "versionType": "custom"}, {"version": "7.2.10", "status": "affected", "lessThanOrEqual": "7.2.10-dxp-19", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-20T16:17:11.147707Z", "id": "CVE-2024-26268", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:50:15.783Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.174Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T16:17:11.147707Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:liferay:liferay_enterprise_portal:*:*:*:*:*:*:*:*"], "vendor": "liferay", "product": "liferay_enterprise_portal", "versions": [{"status": "affected", "version": "7.2.0", "versionType": "custom", "lessThanOrEqual": "7.4.3.26"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibexa:digital_experience_platform:*:*:*:*:*:*:*:*"], "vendor": "ibexa", "product": "digital_experience_platform", "versions": [{"status": "affected", "version": "7.4.13", "versionType": "custom", "lessThanOrEqual": "7.4.13.u26"}, {"status": "affected", "version": "7.3.10", "versionType": "custom", "lessThanOrEqual": "7.3.10.u7"}, {"status": "affected", "version": "7.2.10", "versionType": "custom", "lessThanOrEqual": "7.2.10-dxp-19"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:49:47.234Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Barnab\u00e1s Horv\u00e1th (T4r0)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Liferay", "product": "Portal", "versions": [{"status": "affected", "version": "7.2.0", "versionType": "maven", "lessThanOrEqual": "7.4.3.26"}], "defaultStatus": "unknown"}, {"vendor": "Liferay", "product": "DXP", "versions": [{"status": "affected", "version": "7.4.13", "versionType": "maven", "lessThanOrEqual": "7.4.13.u26"}, {"status": "affected", "version": "7.3.10", "versionType": "maven", "lessThanOrEqual": "7.3.10.u7"}, {"status": "affected", "version": "7.2.10", "versionType": "maven", "lessThanOrEqual": "7.2.10-dxp-19"}], "defaultStatus": "unknown"}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.", "supportingMedia": [{"type": "text/html", "value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2024-02-21T03:50:53.570Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26268", "state": "PUBLISHED", "dateUpdated": "2024-08-15T17:50:15.783Z", "dateReserved": "2024-02-15T07:44:36.776Z", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "datePublished": "2024-02-20T13:17:28.137Z", "assignerShortName": "Liferay"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time."}, {"lang": "es", "value": "Vulnerabilidad de enumeraci\u00f3n de usuarios en Liferay Portal 7.2.0 a 7.4.3.26 y versiones anteriores no soportadas, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 27, 7.3 antes de la actualizaci\u00f3n 8, 7.2 antes del fixpack 20 y versiones anteriores no soportadas permite a atacantes remotos determinar si una cuenta existen en la aplicaci\u00f3n comparando el tiempo de respuesta de la solicitud."}], "id": "CVE-2024-26268", "lastModified": "2024-02-20T19:50:53.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@liferay.com", "type": "Secondary"}]}, "published": "2024-02-20T14:15:09.350", "references": [{"source": "security@liferay.com", "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26268"}], "sourceIdentifier": "security@liferay.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "security@liferay.com", "type": "Secondary"}]}

{}