PT-2021-20102 · Liferay · Liferay Portal+1

Published

2021-08-03

Updated

2022-05-24

CVE-2021-33321

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 6.2.3 through 7.3.2 Liferay DXP versions prior to 7.3

Description The issue is related to an insecure default configuration that allows remote attackers to enumerate user email addresses via the forgot password functionality. The configuration property login.secure.forgot.password should be set to true by default to prevent this.

Recommendations For Liferay Portal versions 6.2.3 through 7.3.2, set the portal.property login.secure.forgot.password to true. For Liferay DXP versions prior to 7.3, set the portal.property login.secure.forgot.password to true.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

CVE-2021-33321

GHSA-JFCH-M2X3-2V66

Affected Products

Liferay Dxp

Liferay Portal

PT-2021-20102 · Liferay · Liferay Portal+1

CVE-2021-33321

Weakness Enumeration

Related Identifiers

Affected Products

References · 9