Insecure default configuration in Liferay Portal 6.2.3 up to and including 7.3.2, and Liferay DXP prior to 7.3, allows remote malicious users to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
liferay dxp |
||
liferay liferay portal |