Description
The Account Settings page in Liferay Portal and Liferay DXP embeds the user’s hashed password in the page’s HTML source, which allows man-in-the-middle attackers to steal a user's hashed password.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Version(s)
- Liferay Portal 7.4.3.76 through 7.4.3.99
- Liferay DXP 2023.Q3 before patch 5
- Liferay DXP 7.4 update 76 through 92
Fixed Version(s)
- Liferay Portal 7.4.3.100
- Liferay DXP 2023.Q3.5
Publication date: Tue, 20 Feb 2024 13:30:00 +0000