CVE-2021-33322
HIGHLiferay Portal <7.3.0 - Liferay DXP <7.2.5 - Info Disclosure
Title source: llmDescription
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748020
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-16981
Scores
CVSS v3
7.5
EPSS
0.0022
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-613
Status
published
Products (3)
com.liferay.portal/com.liferay.portal.impl
0 - 5.7.3Maven
com.liferay.portal/release.dxp.bom
7.0.0 - 7.0.10.fp96Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026