Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16698

Passwords are emailed to users by default

    Details

    • Business Value:
      3
    • CVSS Base Score:
      5.9
    • CVSS Vector String:
      CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    • 7.0 Fix Pack Version:
      86
    • 7.1 Fix Pack Version:
      13

      Description

      Using the default configuration in Liferay DXP 7.0 and 7.1, an email containing the user's password is sent to the user when creating an account or the password is changed by an admin. The password in the email is vulnerable to man in the middle attacks and is accessible by the user's email provider.

      Important Change
      The default value of the following property has been changed to "true:

          #
          # Set this to true to allow the user to choose a password during account
          # creation.
          #
          # Env: LIFERAY_LOGIN_PERIOD_CREATE_PERIOD_ACCOUNT_PERIOD_ALLOW_PERIOD_CUSTOM_PERIOD_PASSWORD
          #
          login.create.account.allow.custom.password=true
      

        Attachments

          Activity

            People

            • Assignee:
              support-ee EE Support
              Reporter:
              tibor.lipusz Tibor Lipusz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                7.0.X EE
                7.1.x EE
                7.2.X EE