Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16830

Email address disclosure via forgot password

    Details

    • CVSS Base Score:
      5.3
    • CVSS Vector String:
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • 7.0 Fix Pack Version:
      85
    • 7.1 Fix Pack Version:
      13

      Description

      In Liferay DXP 7.2, DXP 7.1 and 7.0 and Liferay Portal 6.2 EE user email address can be exposed via forgot password.

      System are only vulnerable if reminder queries are enabled (users.reminder.queries.enabled=true) and users are authenticated using their screen name or their user id.

        Attachments

          Activity

            People

            • Assignee:
              support-ee EE Support
              Reporter:
              EnterpriseReleaseHU Enterprise Release HU
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                7.0.X EE
                7.1.x EE
                7.2.X EE