-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
-
CVSS Base Score:5.3
-
CVSS Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
-
7.0 Fix Pack Version:85
-
7.1 Fix Pack Version:13
In Liferay DXP 7.2, DXP 7.1 and 7.0 and Liferay Portal 6.2 EE user email address can be exposed via forgot password.
System are only vulnerable if reminder queries are enabled (users.reminder.queries.enabled=true) and users are authenticated using their screen name or their user id.