[LPE-16698] Passwords are emailed to users by default - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Application Security > Password, Security Vulnerability
Labels:

Business Value:
3
CVSS Base Score:
5.9
CVSS Vector String:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.0 Fix Pack Version:
86
7.1 Fix Pack Version:
13

Description

Using the default configuration in Liferay DXP 7.0 and 7.1, an email containing the user's password is sent to the user when creating an account or the password is changed by an admin. The password in the email is vulnerable to man in the middle attacks and is accessible by the user's email provider.

Important Change
The default value of the following property has been changed to "true:

    #
    # Set this to true to allow the user to choose a password during account
    # creation.
    #
    # Env: LIFERAY_LOGIN_PERIOD_CREATE_PERIOD_ACCOUNT_PERIOD_ALLOW_PERIOD_CUSTOM_PERIOD_PASSWORD
    #
    login.create.account.allow.custom.password=true

Attachments

Activity

People

Assignee:

EE Support

Reporter:

Tibor Lipusz

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

11/Mar/19 3:20 AM

Updated:

11/Oct/19 4:42 AM

Resolved:

15/Aug/19 1:22 PM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE