Description
Insecure default configuration in Liferay Portal 7.2.0 and earlier allows man-in-the-middle attackers to intercept the email sent to users when their account is created and login as the user.
Workaround: Allow users to set their own custom password during account creation by setting the following portal.property: login.create.account.allow.custom.password=true
Severity
Severity 2
Fixed Version(s)
- Liferay Portal 7.2.1
- March 2020 source patch for Liferay Portal 7.1.3. Details for working with source patches can be found on the Patching Liferay Portal page.
Acknowledgments
This issue was reported by Andreas Alexander Maier
Publication date: Mon, 02 Mar 2020 07:21:00 +0000