[LPE-16830] Email address disclosure via forgot password - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Application Security > Login/Sign in Portlet, Security Vulnerability
Labels:

CVSS Base Score:
5.3
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.0 Fix Pack Version:
85
7.1 Fix Pack Version:
13

Description

In Liferay DXP 7.2, DXP 7.1 and 7.0 and Liferay Portal 6.2 EE user email address can be exposed via forgot password.

System are only vulnerable if reminder queries are enabled (users.reminder.queries.enabled=true) and users are authenticated using their screen name or their user id.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 30/Jul/19 4:04 PM

Updated:: 17/Dec/19 5:34 PM

Resolved:: 15/Aug/19 1:24 PM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE