CST-7117 Unverified password change

Description

A bug in Liferay Portal CE 7.1 CE allows any authenticated user to change the password of another user, including an administrator. Once a user has access to an administrator account, a full system compromise is possible.

Severity

Severity 1

Fixed Version(s)

Publication date: Thu, 31 Jan 2019 01:13:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.