-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
-
Component/s: Application Security > Password, Security Vulnerability
-
Business Value:3
-
CVSS Base Score:5.9
-
CVSS Vector String:CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
-
7.0 Fix Pack Version:86
-
7.1 Fix Pack Version:13
Using the default configuration in Liferay DXP 7.0 and 7.1, an email containing the user's password is sent to the user when creating an account or the password is changed by an admin. The password in the email is vulnerable to man in the middle attacks and is accessible by the user's email provider.
Important Change
The default value of the following property has been changed to "true:
# # Set this to true to allow the user to choose a password during account # creation. # # Env: LIFERAY_LOGIN_PERIOD_CREATE_PERIOD_ACCOUNT_PERIOD_ALLOW_PERIOD_CUSTOM_PERIOD_PASSWORD # login.create.account.allow.custom.password=true