CST-7309 User enumeration via forget password

Description

The login module in Liferay Portal before 7.3.3 will indicate whether an email address or screen name is in the system or not, which allows remote attackers to enumerate users through the forget password functionality.

Severity

Severity 2

Fixed Version(s)

Liferay Portal 7.3.3
September 2020 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page.

Publication date: Mon, 31 Aug 2020 17:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Known Vulnerabilities

Releases

Description

Severity

Fixed Version(s)