CVE-2021-29038 — Weak Password Recovery Mechanism for Forgotten Password in Digital Experience Platform

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password4 documents4 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 73.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal

Timeline

PublishedFeb 20

Latest updateFeb 21

Description

Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶NVDliferay/liferay_portal7.3.0 — 7.3.6+1

▶NVDliferay/digital_experience_platform< 7.2+2

🔴Vulnerability Details

OSV

Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers↗2024-02-21

▶

GHSA

Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers↗2024-02-21

▶

CVEList

CVE-2021-29038: Liferay Portal 7↗2024-02-20

▶