PT-2021-20103 · Liferay · Liferay Portal+1
Published
2021-08-03
·
Updated
2025-05-13
·
CVE-2021-33322
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.3.0 and earlier
Liferay DXP versions 7.0 before fix pack 96
Liferay DXP versions 7.1 before fix pack 18
Liferay DXP versions 7.2 before fix pack 5
Description
The issue allows remote attackers to change a user's password via an old password reset token because the tokens are not invalidated after a user changes their password.
Recommendations
For Liferay Portal versions 7.3.0 and earlier, update to a version later than 7.3.0.
For Liferay DXP versions 7.0 before fix pack 96, apply fix pack 96 or later.
For Liferay DXP versions 7.1 before fix pack 18, apply fix pack 18 or later.
For Liferay DXP versions 7.2 before fix pack 5, apply fix pack 5 or later.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal