CVE-2021-33321
published 2021-08-03CVE-2021-33321: Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via…
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liferay | dxp | < 7.3 | 7.3 |
| liferay | liferay_portal | >= 6.2.3 < 7.3.3 | 7.3.3 |