Description
In Liferay Portal 7.2.0 and earlier, users can update their password via JSONWS without supplying their current password. An attacker can exploit this to modify a user password by leveraging XSS, session hijacking, an unattended workstation or other vectors.
Severity
Severity 2
Fixed Version(s)
- Liferay Portal 7.2.1
- March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Mon, 02 Mar 2020 07:21:00 +0000