From 9667948cfd57b46e1df3cc2af1a3360dcb6cb9af Mon Sep 17 00:00:00 2001
From: "advisory-database[bot]"
 <45398580+advisory-database[bot]@users.noreply.github.com>
Date: Tue, 28 Jan 2025 23:16:36 +0000
Subject: [PATCH] Publish Advisories

GHSA-xq4r-4xfh-vch8
GHSA-xq4r-4xfh-vch8
---
 .../GHSA-xq4r-4xfh-vch8.json                  | 99 +++++++++++++++++++
 .../GHSA-xq4r-4xfh-vch8.json                  | 36 -------
 2 files changed, 99 insertions(+), 36 deletions(-)
 create mode 100644 advisories/github-reviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json
 delete mode 100644 advisories/unreviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json

diff --git a/advisories/github-reviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json b/advisories/github-reviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json
new file mode 100644
index 0000000000000..be405b262db4e
--- /dev/null
+++ b/advisories/github-reviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json
@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xq4r-4xfh-vch8",
+  "modified": "2025-01-28T23:15:23Z",
+  "published": "2024-02-20T15:31:05Z",
+  "aliases": [
+    "CVE-2024-26270"
+  ],
+  "summary": "Liferay Portal and Liferay DXP vulnerable to theft of hashed password",
+  "details": "The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.portal.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.4.3.76"
+            },
+            {
+              "fixed": "7.4.3.100"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.dxp.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2023.Q3"
+            },
+            {
+              "fixed": "2023.Q3.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.dxp.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.4.0"
+            },
+            {
+              "last_affected": "7.4.13.u92"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26270"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-201"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-01-28T23:15:23Z",
+    "nvd_published_at": "2024-02-20T14:15:09Z"
+  }
+}
\ No newline at end of file
diff --git a/advisories/unreviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json b/advisories/unreviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json
deleted file mode 100644
index 47c4e9b67a941..0000000000000
--- a/advisories/unreviewed/2024/02/GHSA-xq4r-4xfh-vch8/GHSA-xq4r-4xfh-vch8.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  "schema_version": "1.4.0",
-  "id": "GHSA-xq4r-4xfh-vch8",
-  "modified": "2025-01-28T21:30:59Z",
-  "published": "2024-02-20T15:31:05Z",
-  "aliases": [
-    "CVE-2024-26270"
-  ],
-  "details": "The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.",
-  "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
-    }
-  ],
-  "affected": [],
-  "references": [
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26270"
-    },
-    {
-      "type": "WEB",
-      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26270"
-    }
-  ],
-  "database_specific": {
-    "cwe_ids": [
-      "CWE-201"
-    ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
-    "nvd_published_at": "2024-02-20T14:15:09Z"
-  }
-}
\ No newline at end of file