Liferay doesn't properly sanitize name of user agent while creating "Forget Password" emails sent from the portal.
User-Agent HTTP header is wrapped by default to the forget password HTML based message (so also CSRF is possible, but it is likely that CSRF attempt will be blocked by Mail Agent).
This can lead to extreamly dangerous phishing attacks (email which contains malicious content originates from the targeted portal !!!).
Attacker using credibility given by origin of email can easily embed instructions for the victim (f.e. forwarding email to some address - email contains new password for victims account !!!).
From privileges escalation to sending abusive content from the targeted portal to it's users (loosing of credibility by institution running portal).
Sign In -> Forgot Password feature turned on, having at least one email of portal user (since Liferay suffers email guessing flow, it is not hard to get one).
NOTE: Attack must set to User-Agent HTTP header before session is
created (so User-Agent must present itself with attack from the
beginning of User-Agent <-> Server interaction) !!!
EXAMPLE EXPLOIT AND VERIFICATION:
Please use software proxy that allows to modify HTTP traffic or write
simple user-agent in f.e. Perl.
Set value of HTTP User-Agent to f.e (Internet Explorer + an attack).
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727). If you haven't requested Password Reminder feature please forward immediately this email to email@example.com.