CST-7108 User can change password without entering current password

Description

In Liferay Portal 7.1 CE GA1, users are normally required to enter their current password if they want to change their password. However, the requirement to enter the current password can be circumvented making users vulnerable to account hijacking.

Severity

Severity 2

Fixed Version(s)

Publication date: Mon, 12 Nov 2018 09:39:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.