SCA: security update for com.liferay.portal:release.dxp.bom, com.liferay.portal:release.portal.bom (GHSA-mf8h-grfg-j9j3)

medium Tenable Cloud Security Plugin ID 428655

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay
DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest
users view permission to web content templates by default, which allows remote attackers to view any
template via the UI or API. (CVE-2024-25605)

Solution

Update the com.liferay.portal:release.dxp.bom library and its related packages to version 7.2.10.fp17 or later.

See Also

https://github.com/advisories/GHSA-mf8h-grfg-j9j3

Plugin Details

Severity: Medium

ID: 428655

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 7/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-25605

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/20/2024

Vulnerability Publication Date: 2/20/2024

Reference Information

CVE: CVE-2024-25605

cwe: CWE-276