PT-2025-45794 — Cleartext Storage of Sensitive Information in Maven Com.Liferay.Portal:Com.Liferay.Portal.Impl+1

PT-2025-45794 · Maven · Com.Liferay.Portal:Com.Liferay.Portal.Impl+1

Published

2025-10-28

Updated

2025-10-28

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

GHSA-XCJ6-XPJG-C4XR

Affected Products

Com.Liferay.Portal:Com.Liferay.Portal.Impl

Com.Liferay.Portal:Release.Portal.Bom

PT-2025-45794 · Maven · Com.Liferay.Portal:Com.Liferay.Portal.Impl+1

Weakness Enumeration

Related Identifiers

Affected Products

References · 6