CST-7212 Passwords are emailed to users by default

Description

Insecure default configuration in Liferay Portal 7.2.0 and earlier allows man-in-the-middle attackers to intercept the email sent to users when their account is created and login as the user.

 

Workaround: Allow users to set their own custom password during account creation by setting the following portal.property: login.create.account.allow.custom.password=true

Severity

Severity 2

Fixed Version(s)

Acknowledgments

This issue was reported by Andreas Alexander Maier

Publication date: Mon, 02 Mar 2020 07:21:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.