Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16830

Email address disclosure via forgot password

    Details

    • CVSS Base Score:
      5.3
    • CVSS Vector String:
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • 7.0 Fix Pack Version:
      85
    • 7.1 Fix Pack Version:
      13

      Description

      In Liferay DXP 7.2, DXP 7.1 and 7.0 and Liferay Portal 6.2 EE user email address can be exposed via forgot password.

      System are only vulnerable if reminder queries are enabled (users.reminder.queries.enabled=true) and users are authenticated using their screen name or their user id.

        Attachments

          Activity

            People

            Assignee:
            support-ee EE Support
            Reporter:
            EnterpriseReleaseHU Enterprise Release HU
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                7.0.X EE
                7.1.x EE
                7.2.X EE