Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.

Affected Packages

Maven com.liferay.portal:release.portal.bom

Affected versions: 7.2.0 (fixed in 7.4.3.5-ga5)

Maven com.liferay.portal:release.dxp.bom

Affected versions: 0 (fixed in 7.2.10.fp17)

Related CVEs

CVE-2024-25604

Key Information

GHSA ID

GHSA-pw7p-3648-qqmg

Published

February 20, 2024 9:30 AM

Last Modified

July 29, 2025 12:34 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

com.liferay.portal:release.portal.bom

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.