Description
In Liferay Portal 7.3.0 and earlier, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
Severity
Severity 2
Fixed Version(s)
- Liferay Portal 7.3.1
- May 2021 source patch for Liferay Portal 7.2.1. Details for working with source patches can be found on the Patching Liferay Portal page.
There is no fix available for Liferay Portal 7.0 and 7.1. Please upgrade to Liferay Portal 7.3.
Acknowledgments
This issue was reported by Shijin Sures
Publication date: Mon, 10 May 2021 16:00:00 +0000