Description
Liferay Portal and Liferay DXP stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.
Severity
6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay Portal 7.0.0 through 7.4.3.99
- Liferay DXP 2023.Q3.1 through 2023.Q3.4
- Liferay DXP 7.4
- Liferay DXP 7.3 GA through U34
- And older unsupported versions
Fixed Version(s)
- Liferay Portal 7.4.3.100
- Liferay DXP 2024.Q1.1
- Liferay DXP 2023.Q4.0
- Liferay DXP 2023.Q3.5
- Liferay DXP 7.3 U35
Publication date: Mon, 27 Oct 2025 09:09:00 +0000