PT-2021-20106 · Liferay · Liferay Portal+1
Published
2021-08-03
·
Updated
2022-05-24
·
CVE-2021-33325
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.3.2 and earlier
Liferay DXP versions 7.0 before fix pack 93
Liferay DXP versions 7.1 before fix pack 19
Liferay DXP versions 7.2 before fix pack 7
Description
The issue allows attackers with access to the database to obtain a user's password if workflow is enabled for user creation. This is because user's clear text passwords are stored in the database.
Recommendations
For Liferay Portal versions 7.3.2 and earlier, update to a version where the issue is fixed.
For Liferay DXP versions 7.0 before fix pack 93, apply fix pack 93 or later.
For Liferay DXP versions 7.1 before fix pack 19, apply fix pack 19 or later.
For Liferay DXP versions 7.2 before fix pack 7, apply fix pack 7 or later.
Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal