CST-7309 User enumeration via forget password

Description

The login module in Liferay Portal before 7.3.3 will indicate whether an email address or screen name is in the system or not, which allows remote attackers to enumerate users through the forget password functionality.

Severity

Severity 2

Fixed Version(s)

Publication date: Mon, 31 Aug 2020 17:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.