CVE-2024-25146 is a medium severity information disclosure vulnerability affecting Liferay Portal versions 7.2.0 through 7.4.1, including Liferay DXP 7.3 before service pack 3 and 7.2 before fix pack 18, as well as older unsupported versions. The vulnerability arises from an observable response discrepancy when accessing site URLs under specific configuration conditions: when the setting locale.prepend.friendly.url.style is set to 2 and a custom 404 error page is in use. Under these conditions, the portal returns different HTTP responses depending on whether a requested site exists or if the user lacks permission to access it. This behavior allows remote attackers to enumerate valid site URLs by analyzing the differences in server responses, effectively confirming the existence of sites even without authentication or user interaction. The vulnerability is classified under CWE-204 (Observable Response Discrepancy), which involves information leakage through differences in system responses. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only, with no effect on integrity or availability. No known public exploits are reported yet, and no patches are linked in the provided data, indicating that remediation may require vendor updates or configuration changes. This vulnerability does not allow direct access to site content but facilitates reconnaissance that could aid further targeted attacks or social engineering by confirming valid site existence within an organization’s Liferay deployment.

For European organizations using affected versions of Liferay Portal or Liferay DXP, this vulnerability primarily poses a confidentiality risk by enabling unauthorized site enumeration. Attackers can remotely discover valid site URLs, which may reveal internal or sensitive portals that were intended to be hidden or restricted. This information leakage can facilitate targeted phishing, social engineering, or subsequent exploitation attempts against identified sites. While the vulnerability does not directly compromise data integrity or availability, the reconnaissance advantage it provides can increase the attack surface and risk profile of organizations. Given Liferay’s popularity in enterprise content management and intranet portals, organizations in sectors such as government, finance, healthcare, and education across Europe could be impacted. The ability to enumerate sites without authentication lowers the barrier for attackers to map internal resources, potentially exposing sensitive business or personal information indirectly. However, the absence of known exploits and the medium severity rating suggest that immediate critical damage is unlikely, but the vulnerability should be addressed promptly to reduce exposure.

To mitigate CVE-2024-25146, European organizations should first verify if their Liferay Portal or DXP installations are within the affected version ranges and configurations. If possible, upgrade to the latest Liferay versions or apply vendor-provided patches once available. In the interim, organizations should consider disabling or modifying the locale.prepend.friendly.url.style setting from value 2 to a less vulnerable configuration. Additionally, avoid using custom 404 pages that reveal different responses based on site existence; standardize error handling to return uniform responses regardless of site presence or permission status. Implement web application firewalls (WAFs) to detect and block suspicious URL enumeration patterns. Monitoring access logs for repeated 404 or permission-denied responses can help identify reconnaissance attempts. Restricting public access to Liferay portals and enforcing strong authentication and authorization controls further reduce risk. Finally, conduct regular security assessments and penetration tests to verify that no information leakage occurs through response discrepancies or other side channels.