Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16981

Password change does not invalidate password reset tokens

    Details

    • CVSS Base Score:
      6.5
    • CVSS Vector String:
      CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
    • 7.1 Fix Pack Version:
      18
    • 7.2 Fix Pack Version:
      5

      Description

      Password reset tokens in Liferay DXP 7.0, 7.1, and 7.2 are not invalidated after users changes their password, which allows remote attackers to change users password via the invalidated password reset token.

        Attachments

          Activity

            People

            Assignee:
            support-ee EE Support
            Reporter:
            EnterpriseReleaseHU Enterprise Release HU
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                7.1.x EE
                7.2.X EE