CVE-2021-29038

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.3.5 Liferay DXP 7.3 before fix pack 1 Liferay DXP 7.2 before fix pack 17

Description The issue allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers because password reminder answers are not obfuscated on the page.

Recommendations For Liferay Portal versions 7.2.0 through 7.3.5, update to a version that includes the fix for this issue. For Liferay DXP 7.3, apply fix pack 1 or later. For Liferay DXP 7.2, apply fix pack 17 or later. As a temporary workaround, consider implementing additional security measures to protect against man-in-the-middle and shoulder surfing attacks, such as using HTTPS and educating users about the risks of using public computers or public networks to access sensitive information.