[LPE-16981] Password change does not invalidate password reset tokens - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
Fix Version/s: 7.0.X EE, 7.1.x EE, 7.2.X EE
Component/s: Application Security > Password, Security Vulnerability
Labels:

CVE IDs:
CVE-2021-33322
CVSS Base Score:
6.5
CVSS Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
7.0 Fix Pack Version:
96
7.1 Fix Pack Version:
18
7.2 Fix Pack Version:
5

Description

Password reset tokens in Liferay DXP 7.0, 7.1, and 7.2 are not invalidated after users changes their password, which allows remote attackers to change users password via the invalidated password reset token.

Attachments

Activity

People

Assignee:: EE Support

Reporter:: Enterprise Release HU

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 18/Mar/20 3:02 PM

Updated:: 02/Aug/21 12:27 AM

Resolved:: 14/Jul/20 5:25 AM

Packages

Version	Package
7.0.X EE
7.1.x EE
7.2.X EE