CVE-2021-33321Weak Password Recovery Mechanism for Forgotten Password in DXP

CWE-640Weak Password Recovery Mechanism for Forgotten Password4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 45.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay DXPLiferay Portal
Timeline
PublishedAug 3
Latest updateMay 24

Description

Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDliferay/liferay_portal6.2.37.3.3
NVDliferay/dxp< 7.3

🔴Vulnerability Details

3
OSV
Liferay Portal and Liferay DXP insecure default configuration2022-05-24
GHSA
Liferay Portal and Liferay DXP insecure default configuration2022-05-24
CVEList
CVE-2021-33321: Insecure default configuration in Liferay Portal 62021-08-03
CVE-2021-33321 — Liferay DXP vulnerability | cvebase