Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-11626

[Vulnerability] Potential Abuse of "Reset Password"

    Details

      Description

      If you hit "reset password" it just sends a reset password to the user without confirming the user's identity in any way. Especially on the Liferay site, where everyone's email is first.lastname@liferay.com, there is a lot of potential for abuse if someone knows peoples' email addresses. Passwords can be arbitrarily reset.

      The way most other sites do it now is by emailing a link to users who "forget their passwords" that sends them a form that expires within 24 hours. There, they can hit a button to reset the password, or even change the password directly. If they did not request the password change, they can simply ignore the email.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  6 years, 25 weeks, 1 day ago

                  Packages

                  Version Package