CVE-2024-25150: 
Java vulnerability analysis and mitigation

CVE-2024-25150 is an information disclosure vulnerability discovered in the Control Panel of Liferay Portal and Liferay DXP. The vulnerability was first disclosed on February 20, 2024, and affects multiple versions of Liferay Portal (7.2.0 through 7.4.2) and Liferay DXP (7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions). The vulnerability was reported by security researcher Sahil Mehra (Liferay Advisory).

The vulnerability allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names in the Control Panel. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, with no user interaction needed, and affects only confidentiality at a low level (Liferay Advisory).

The primary impact of this vulnerability is the unauthorized disclosure of users' full names through the page title in the Control Panel. While the impact is limited to information disclosure with no effect on system integrity or availability, it could potentially be used for user enumeration and information gathering in targeted attacks (NVD).

The vulnerability has been fixed in Liferay Portal version 7.4.3.4, Liferay DXP 7.3 update 4, and Liferay DXP 7.2 fix pack 19. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).